Aliyun Swas Manage
ReviewAudited by ClawScan on May 18, 2026.
Overview
The skill mostly matches Alibaba Cloud server management, but one helper can remotely add SSH access and enable root login on an instance, which should be reviewed before use.
Install only if you intend to let the agent manage Alibaba Cloud SWAS resources. Use least-privilege Alibaba Cloud credentials, review any mutating operation before it runs, and be especially cautious with the SSH repair script because it can add persistent key access and enable root SSH login on a server.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad invocation could weaken SSH security, grant persistent access via a key, or disrupt SSH access on the wrong Alibaba Cloud instance.
The helper uses SWAS RunCommand to modify SSH configuration on a target instance, defaults to root, enables root login, adds a key, and restarts SSH. This is a high-impact remote mutation without an in-script confirmation or rollback path.
parser.add_argument("--user", default="root") ... echo 'PermitRootLogin yes' >> $SSHD_CONFIG ... client.run_command(... command_content=script)Require explicit user approval before running this helper, validate the target instance and region, avoid enabling root login by default, validate and safely quote user/port/key inputs, and provide a backup and rollback procedure.
Credentials used with this skill may allow starting, stopping, modifying, or executing commands on cloud servers depending on the RAM policy attached.
The skill relies on Alibaba Cloud credentials to manage cloud resources. This is expected for the stated purpose, but those credentials can authorize sensitive account and instance operations.
Configure least-privilege Alibaba Cloud credentials before execution. Prefer environment variables: `ALICLOUD_ACCESS_KEY_ID`, `ALICLOUD_ACCESS_KEY_SECRET`, optional `ALICLOUD_REGION_ID`.
Use a least-privilege RAM user or role, prefer short-lived credentials when possible, and do not provide account-wide keys unless the requested task truly needs them.
Future package updates could change behavior or introduce dependency risk.
The documented setup installs external SDK packages without version pins. This is a normal provider-SDK setup step, but unpinned dependencies reduce reproducibility and supply-chain control.
python -m pip install alibabacloud_swas_open20200601 alibabacloud_tea_openapi alibabacloud_credentials
Install in a virtual environment and pin known-good package versions or use a reviewed lockfile for repeatable use.