ACME SSL automation for Alibaba Cloud ESA DNS
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it says—automate Alibaba ESA DNS certificate issuance—but it needs cloud DNS credentials and can optionally install a persistent root cron renewal job.
Use this only on a controlled Linux host where you intend to manage ESA DNS and certificates. Prefer least-privilege, short-lived Alibaba Cloud credentials, verify the domain/site before running, and review any cron renewal files created under /root/.config, /usr/local/sbin, and the system crontab.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can act with the provided Alibaba Cloud permissions to manage ESA DNS records for certificate validation; pasted long-lived keys may remain in chat or local history.
The skill requires Alibaba Cloud credentials and can use direct credential values supplied in chat. This is expected for ESA DNS automation, but the credentials grant account authority and should be tightly scoped.
Credentials via `ALIYUN_AK` / `ALIYUN_SK` or `ALIBABACLOUD_ACCESS_KEY_ID` / `ALIBABACLOUD_ACCESS_KEY_SECRET` ... If the user provides credentials directly in OpenClaw chat/TUI ... pass them to `--ak` / `--sk` / `--sts-token`.
Use a least-privilege RAM sub-account, prefer short-lived STS credentials, enable IP allowlisting, and avoid pasting long-lived AK/SK values into chat when environment variables can be used.
Wrong credentials, domains, or record options could affect DNS behavior, certificate validation, or service availability.
The skill intentionally mutates DNS records and can optionally manage A/AAAA records. This is central to its purpose and includes an overwrite safeguard, but DNS changes are high-impact.
ACME challenge tokens must be written to ESA DNS immediately ... Optional IPv4/IPv6 record management: `--ensure-a-record host=ip` ... Overwrite protection: existing A value is NOT overwritten unless `--confirm-overwrite` is passed
Confirm the target domain, ESA site/region, and record changes before running; use `--confirm-overwrite` only when you intentionally want to replace an existing DNS value.
After installation, certificate renewal will keep running on the host and retained credentials could be reused by that job until removed or rotated.
The optional installer persists Alibaba credentials in a root-readable env file and installs a cron job for ongoing renewal. This is disclosed in the skill and aligned with automatic renewal, but it persists beyond the immediate task.
cat > "$ENV_FILE" <<EOF ALIYUN_AK=$(shell_quote "$AK") ALIYUN_SK=$(shell_quote "$SK") EOF ... chmod 600 "$ENV_FILE" ... crontab "$newtab"
Install the cron job only on a trusted host, review the generated env file/wrapper/crontab, use temporary or tightly scoped keys, and remove the cron entry and env file if you no longer need automated renewal.
If acme.sh is installed from an untrusted source, certificate issuance could be compromised independently of this skill.
The skill depends on an externally installed acme.sh binary. The documentation points users to the official project and gives safer installation guidance, so this is a supply-chain notice rather than a concern.
Install `acme.sh` from the official project before using this skill, and review the installation method you choose instead of piping remote scripts directly to a shell
Install acme.sh from the official source, review the installer, and keep it updated through a trusted mechanism.