ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Platform Docs Benchmark

v1.0.0

Use when benchmarking similar product documentation and API documentation across Alibaba Cloud, AWS, Azure, GCP, Tencent Cloud, Volcano Engine, and Huawei Cl...

0· 27·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (multi-cloud docs/API benchmark) align with included code and resources (discovery, scoring, presets). Requesting Alibaba Cloud metadata as an optional enrichment is plausible for an 'Aliyun' branded benchmark, but the skill metadata declares no required env vars while the runtime instructions explicitly request ALICLOUD_* credentials — an inconsistency.
!
Instruction Scope
SKILL.md instructs the agent to run a local Python script that performs web discovery and API calls and to 'configure least-privilege Alibaba Cloud credentials' and include region/resource id/time range in evidence. It also warns to ask the user before running mutating operations, which implies possible non-read-only interactions. The instructions therefore reach beyond pure passive scraping and could touch cloud APIs or collect sensitive parameters; those behaviors are not fully declared or scoped in the manifest.
Install Mechanism
No install spec; skill is instruction + Python script relying on standard library (urllib, json, re). No third-party packages or external binary downloads were declared, which is proportional and lower-risk.
!
Credentials
The manifest lists no required environment variables, but SKILL.md asks for ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET (and optional region). Requesting cloud credentials (even 'least-privilege') is sensitive and should be declared in requires.env; currently the credential request is undocumented in the metadata and therefore disproportionate/untracked.
Persistence & Privilege
always:false and no install hooks were declared. The skill does write output artifacts to a local output/ directory per its instructions, which is expected for a benchmarking script. It does not request permanent platform-level privileges in the manifest.
Scan Findings in Context
[pre-scan-none] unexpected: Static pre-scan found no flagged patterns, but the SKILL.md requests Alibaba Cloud credentials and mentions potential mutating operations; the lack of pre-scan findings does not mitigate the manifest/instruction mismatch.
What to consider before installing
This skill appears to implement a reasonable multi-cloud docs benchmarking tool, but there are two things to check before running it: (1) the SKILL.md asks you to provide Alibaba Cloud credentials (ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET) and optional region, yet the skill manifest does not declare any required environment variables—ask the author to explicitly declare these env vars in the skill metadata and explain exactly what API calls require them. (2) Inspect the Python script for any operations that modify cloud resources or send data to external endpoints (it performs web/API discovery and writes an output directory; confirm it does not call any mutating APIs or post sensitive evidence elsewhere). If you must run it, use isolated/least-privilege test credentials, avoid using production secrets, prefer providing pinned official links instead of credentials when possible, and run the script in an isolated environment so you can review generated output before sharing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk971j9d87mna9wkbt11rmzeprn842z6b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments