ClawHub

Aliyun Platform Docs Review

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill mostly matches a public documentation-review workflow, but it unnecessarily asks users to configure Alibaba Cloud access keys without clearly declaring or justifying that authority.

Review carefully before installing. The public docs-review behavior looks coherent, but do not provide Alibaba Cloud access keys unless the maintainer clearly documents why they are needed and what exact read-only permissions are required.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Low
What this means

Running the skill can contact Alibaba Cloud public documentation/API endpoints and save report/evidence files locally.

Why it was flagged

The bundled script makes external requests to Alibaba Cloud web/API endpoints and writes local review artifacts. This is disclosed and aligned with a docs-review skill, but users should know it uses network access and creates output files.

Skill content
OPENAPI_PRODUCTS_ZH = "https://api.aliyun.com/meta/v1/products.json?language=ZH_CN"
PRODUCT_LIST_URL = "https://www.aliyun.com/product/list"
OUTPUT_ROOT = Path("output/aliyun-platform-docs-review")
Recommendation

Run it only for intended product reviews, keep outputs in the documented directory, and review generated evidence before sharing it.

#ASI03: Identity and Privilege Abuse
Medium
What this means

A user may expose cloud access keys to the agent environment unnecessarily; if those keys are over-privileged, they could enable actions beyond a documentation review.

Why it was flagged

The skill asks users to prepare sensitive Alibaba Cloud access keys, but the registry declares no required credentials and the visible workflow appears to review public documentation metadata rather than account-scoped resources. The credential scope and need are not clearly bounded.

Skill content
- Configure least-privilege Alibaba Cloud credentials before execution.
- Prefer environment variables: `ALICLOUD_ACCESS_KEY_ID`, `ALICLOUD_ACCESS_KEY_SECRET`, optional `ALICLOUD_REGION_ID`.
Recommendation

Remove the credential prerequisite unless it is strictly required. If credentials are needed, declare them in metadata, specify exact read-only permissions, explain which calls use them, and avoid requesting account keys for public documentation review.