Aliyun Openapi Discovery
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a coherent Alibaba Cloud discovery skill, but it needs review because one script can write files using unsanitized product/version names and the skill uses cloud credentials that are not declared in metadata.
Review the path-handling issue before running at scale. If you install it, run it in a controlled workspace, install dependencies from trusted sources, use least-privilege Alibaba Cloud credentials, keep endpoints on official Alibaba Cloud domains, and use the provided filters for large metadata fetches.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad product metadata file or unexpected API response could cause generated files or directories to be created outside the intended output folder.
Product code and version values loaded from the products metadata file are used directly as path components before writing files. There is no rejection of '..', slashes, or absolute paths, so poisoned or malformed metadata could write outside the intended output tree.
product_code = product.get("product_code") ... product_dir = output_dir / product_code / version ... out_file.write_text(json.dumps(payload, ensure_ascii=False, indent=2), encoding="utf-8")Sanitize product_code and version before using them in paths, reject absolute paths and '..' components, and resolve the final path to confirm it remains under the intended output directory.
If these environment variables are present, the agent can make authenticated Alibaba Cloud API requests for the configured account.
The script consumes Alibaba Cloud credentials and optional session tokens for authenticated API calls. This is expected for the stated Alibaba Cloud discovery purpose, but it is sensitive authority.
access_key_id = os.getenv("ALICLOUD_ACCESS_KEY_ID") ... access_key_secret = os.getenv("ALICLOUD_ACCESS_KEY_SECRET") ... client = AcsClient(access_key_id, access_key_secret, "cn-hangzhou", security_token)Use least-privilege, read-only or short-lived STS credentials where possible, verify endpoints are official Alibaba Cloud endpoints, and avoid running with broad account keys.
Manual dependency installation adds normal package-supply-chain risk and may lead to version drift.
A runtime dependency is required but there is no install spec or lockfile in the provided artifacts, so users must obtain the package themselves.
print("Missing SDK. Install: pip install aliyun-python-sdk-core", file=sys.stderr)Declare and pin the dependency in an install spec or lockfile, and install it from the official trusted package source.