aliyun-domain
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: aliyun-domain Version: 1.1.0 The aliyun-domain skill bundle is a comprehensive and well-documented tool for managing Alibaba Cloud domain assets. It implements a 'Double Confirmation Principle' for financial operations (registration, renewal) as a security measure within SKILL.md. The Python scripts (aliyun_domain.py, domain_monitor.py) use standard Alibaba Cloud SDKs and safe subprocess execution (list-based arguments) to perform WHOIS and SSL checks, mitigating shell injection risks. The bundle includes a local knowledge base for RAG retrieval and utility scripts for investment analysis, all of which are strictly aligned with the stated purpose of domain management without evidence of malicious intent, data exfiltration, or prompt injection attacks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with valid Alibaba Cloud credentials and valid parameters, this sample could submit real domain registration or renewal operations and potentially incur charges without an actual second confirmation.
The example disables the real confirmation prompt, simulates user approval, sets confirmed=True, and the main block runs the registration and renewal examples when the script is executed.
# user_input = input("\n请输入确认:").strip().lower()
# if user_input not in ['确认', 'confirm', 'yes', 'ok', '是']:
# print("❌ 用户取消操作")
# return
# 示例中直接模拟用户确认
print("\n✅ 模拟用户已确认")
...
result = client.register_domain(..., confirmed=True)
...
if __name__ == '__main__':
example_register_domain_with_confirmation()
example_renew_domain_with_confirmation()Do not run this example as-is. The maintainer should make it a dry-run by default, require live interactive confirmation before confirmed=True, and avoid hard-coded real registration or renewal calls in executable examples.
The skill can act with the granted RAM user's domain permissions, including actions that may change DNS, transfer settings, contact data, renewal settings, or create paid orders.
The skill expects Alibaba Cloud AK/SK credentials and recommends full domain-service permissions, which is powerful authority over the user's domain assets.
"access_key_id": "LTAI5t...", "access_key_secret": "abcdef..." ... 为用户授权 `AliyunDomainFullAccess` 权限
Use a dedicated RAM subaccount with the narrowest custom permissions needed, avoid root-account keys, store keys securely, and rotate them regularly.
Users may need to install dependencies manually, and exact dependency versions/provenance are not verifiable from the provided install specification.
The README instructs installing dependencies from a requirements file, but the provided install metadata says there is no install spec and the manifest shown does not include requirements.txt.
pip3 install -r requirements.txt
Provide a pinned requirements.txt or explicit install spec, and ensure dependency files referenced in documentation are included in the package.
A local file may reveal which domains the user monitors and historical WHOIS-related details if other local users or tools can read it.
The monitor persists a local list of monitored domains plus WHOIS state and alert history in the user's home directory.
DATA_FILE = os.path.expanduser("~/.domain_monitor.json")
...
data["domains"][domain] = {
"added_at": datetime.now().isoformat(),
"last_check": None,
"initial_whois": whois,
"last_whois": whois,
"alerts": [],
}Document the local data file clearly, restrict file permissions where possible, and provide a cleanup/remove command for users who stop using monitoring.