Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the instructions: the SKILL.md describes installing an Aliyun SLS CLI and running queries. However the registry metadata declares no required credentials or config paths while the instructions clearly require access_id/access_key and write/read a config file (~/.aliyunlogcli). This mismatch is an incoherence in the manifest.
Instruction Scope
Instructions stay within the stated purpose (install CLI, configure credentials, run queries). They instruct the agent to prompt the user for access_id/access_key and to consult/append the local references/project_mapping.md. They do not ask to read unrelated system files. Caveat: they recommend passing credentials as CLI flags and storing credentials in a plaintext config, both of which can leak secrets (process lists, disk).
Install Mechanism
This is an instruction-only skill (no install spec). The doc tells users to run a pip install (uv pip install -U aliyun-log-cli). That is a reasonable approach, but 'uv pip' is an environment-specific wrapper not declared in metadata; the package name should be validated (source/trust of 'aliyun-log-cli' on PyPI). No remote arbitrary downloads or extract steps are present.
Credentials
The skill requires Aliyun access_id/access_key to operate, but the registry metadata lists no required env vars or primary credential and no required config path. The SKILL.md also instructs storing credentials in ~/.aliyunlogcli and passing creds via command-line flags — both increase the risk of credential exposure. The absence of declared credential requirements in metadata is a notable mismatch.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. It does instruct creating/updating a local config file (~/.aliyunlogcli) and appending entries to references/project_mapping.md; these are limited to the skill's own files and are normal but you should be aware they persist credentials/mappings on disk.
What to consider before installing
This skill appears to do what it says (query Aliyun SLS) but pay attention before supplying credentials. The SKILL.md expects access_id/access_key and to write a config file (~/.aliyunlogcli), yet the registry metadata does not declare those requirements — that mismatch should be resolved by the publisher. If you install/use it:
- Prefer using a low-privilege or temporary STS token, not long-lived production keys.
- Avoid passing secrets on the command line when possible (they appear in process listings); prefer environment variables or config files with appropriate file permissions.
- Validate the pip package 'aliyun-log-cli' (source, maintainer, PyPI page) before installing.
- Confirm your agent environment supports the suggested 'uv pip' invocation or adapt to your normal pip/venv workflow.
- If you need stricter controls, do not grant autonomous invocation or supply credentials until you confirm package provenance and the exact runtime behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97akz2q45kh23hq1fqpthrr4d83cca0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.