Aliyun Ecs Skill
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent Alibaba Cloud ECS management skill, but it needs cloud API keys and can change servers, snapshots, and firewall rules.
Before installing, treat this as an administrative cloud tool: use a dedicated least-privilege Alibaba Cloud RAM key, confirm every stop/restart/firewall/snapshot action, and remove or rotate credentials if you no longer need the skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is over-privileged or the local config file is exposed, someone could manage or disrupt the user's ECS resources.
The skill explicitly asks for Alibaba Cloud API credentials and persists them locally so it can manage ECS resources.
我需要你的阿里云 API 密钥... AccessKey Secret... 创建 `~/.aliyun/config.json` 配置文件... 写入 ECS 配置和密钥
Use a dedicated RAM subaccount with the minimum permissions needed, avoid sharing broad account keys, protect or remove ~/.aliyun/config.json when not needed, and rotate the key if it was pasted into chat or shell history.
Mistaken use could stop or restart servers, change firewall exposure, or roll back disks from snapshots.
The skill can perform high-impact ECS operations and relies on confirmation guidance to keep those actions user-directed.
危险操作前先确认: 安全组修改、实例停止/重启、快照回滚等,先向用户确认
Confirm the exact region, instance ID, disk ID, snapshot ID, port, and CIDR before any mutating operation; prefer read-only queries unless the user clearly requests a change.
Installing the skill requires trusting npm package resolution and the Alibaba Cloud SDK packages used by the skill.
The skill depends on npm packages for Alibaba Cloud SDK functionality, using version ranges that may resolve to newer package versions.
"dependencies": { "@alicloud/openapi-client": "^0.4.10", "@alicloud/ecs20140526": "^7.0.0" }Install from a trusted npm registry, consider pinning dependencies with a lockfile, and review dependency updates before use in sensitive cloud accounts.