Alibaba Cloud Model Setup
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: alibaba-cloud-model-setup Version: 0.1.4 The skill bundle is designed to configure Alibaba Cloud Bailian as an OpenClaw model provider. The `SKILL.md` provides clear instructions for the AI agent, including explicit script execution commands and safety rules, without any evidence of prompt injection attempts for malicious purposes. The `scripts/alibaba_cloud_model_setup.py` script performs expected actions such as detecting config paths, prompting for user input, validating API keys against Alibaba Cloud endpoints (`aliyuncs.com`), backing up existing configuration, and updating the OpenClaw JSON configuration file. While the script defines command-line arguments like `--persist-env-shell` and `--persist-env-systemd` which could imply persistence mechanisms, the corresponding code to implement these actions is not present in the `main` function, rendering them inert. All network and file system operations are aligned with the stated purpose of configuring the model provider, with no evidence of data exfiltration, unauthorized execution, or other malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The configured API key may allow OpenClaw to make paid or account-bound model requests to Alibaba Cloud.
The skill explicitly collects and stores an Alibaba/DashScope API key. This is expected for configuring a provider, but it is sensitive account authority.
Run interactive script to collect:\n - API key (with validation)\n - API key storage mode (env-var recommended or inline)
Use the least-privileged API key available, prefer environment-variable storage over inline config, and avoid sharing the generated config file.
Future OpenClaw requests may be routed to Alibaba Cloud models, potentially affecting cost, privacy, and model behavior.
The skill modifies local OpenClaw configuration and can update model defaults. This is the intended function, and the artifacts describe backups and validation.
Backup existing config before modification\n6. **Update config** with provider, models, and defaults
Confirm the selected site, model, and default-provider setting before approving the config write; keep the timestamped backup until the setup is verified.
If used, the API key may remain available in future shell sessions or a user-level OpenClaw service until manually removed.
The script includes optional persistence mechanisms for the API key environment variable and can restart a user service. The flags are explicit and purpose-aligned, but they create lasting local environment changes.
--persist-env-shell ... "Write export line to shell profile (default ~/.bashrc)" ... --persist-env-systemd ... "Write env var to systemd user override and restart service"
Only enable shell or systemd persistence if you need it; know where the key is written and how to remove it later.