Aliyun Ecs Skill
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: aliyun-ecs-skill Version: 1.0.0 The skill bundle is a legitimate administrative tool for managing Alibaba Cloud ECS instances using official SDKs (@alicloud/openapi-client). It facilitates environment setup via `scripts/setup.sh`, which correctly stores credentials locally in `~/.aliyun/config.json` and performs a connection test. The `SKILL.md` provides clear instructions for the AI agent, including security best practices like confirming dangerous operations and recommending RAM sub-accounts. While the tool handles sensitive API keys and provides broad infrastructure control, its logic is entirely consistent with its stated purpose, and no evidence of data exfiltration or malicious intent was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is over-privileged or the local config file is exposed, someone could manage or disrupt the user's ECS resources.
The skill explicitly asks for Alibaba Cloud API credentials and persists them locally so it can manage ECS resources.
我需要你的阿里云 API 密钥... AccessKey Secret... 创建 `~/.aliyun/config.json` 配置文件... 写入 ECS 配置和密钥
Use a dedicated RAM subaccount with the minimum permissions needed, avoid sharing broad account keys, protect or remove ~/.aliyun/config.json when not needed, and rotate the key if it was pasted into chat or shell history.
Mistaken use could stop or restart servers, change firewall exposure, or roll back disks from snapshots.
The skill can perform high-impact ECS operations and relies on confirmation guidance to keep those actions user-directed.
危险操作前先确认: 安全组修改、实例停止/重启、快照回滚等,先向用户确认
Confirm the exact region, instance ID, disk ID, snapshot ID, port, and CIDR before any mutating operation; prefer read-only queries unless the user clearly requests a change.
Installing the skill requires trusting npm package resolution and the Alibaba Cloud SDK packages used by the skill.
The skill depends on npm packages for Alibaba Cloud SDK functionality, using version ranges that may resolve to newer package versions.
"dependencies": { "@alicloud/openapi-client": "^0.4.10", "@alicloud/ecs20140526": "^7.0.0" }Install from a trusted npm registry, consider pinning dependencies with a lockfile, and review dependency updates before use in sensitive cloud accounts.