ClawHub
Back to skill
v0.1.0

Aliyun Use

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:43 AM.

Analysis

This appears to be a straightforward Aliyun LLM and translation wrapper, with expected API key and external data-sharing considerations.

GuidanceThis skill is coherent and purpose-aligned for Aliyun Bailian chat and translation. Before installing, make sure you are comfortable sending prompts or text to Aliyun, use a dedicated API key where possible, and do not override the API host unless it is a trusted endpoint.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The artifacts do not provide a source repository or homepage, which limits independent provenance checks even though the included code is coherent with the stated purpose.

User impactUsers have less external context for who maintains the skill or where updates originate.
RecommendationInstall only if you trust the publisher or have reviewed the included files yourself.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/__main__.py
key = api_key or os.environ.get("ALIYUN_BAILIAN_API_KEY") ... "Authorization": f"Bearer {key}", "x-api-key": key

The skill reads an Aliyun API key and sends it as an authentication credential, which is expected for this integration but gives access to the user's provider account or quota.

User impactAnyone using this skill must trust it with an Aliyun Bailian API key that may incur usage or expose account access within that provider.
RecommendationUse a dedicated, least-privileged API key if possible, keep it out of shared logs, and rotate it if it may have been exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/__main__.py
payload = {"model": model, "messages": anthropic_messages, ...}; response = requests.post(api_url, headers=headers, json=payload, timeout=60)

The skill transmits chat messages or translation text to the configured external API endpoint, which is central to its purpose but means user content leaves the local environment.

User impactPrompts, code snippets, or text submitted for translation may be processed by Aliyun or by whatever trusted endpoint the user configures.
RecommendationAvoid sending secrets or regulated data unless that provider and endpoint are approved for the data being used.