ClawHub
Back to skill

Security audit

Aliyun Ecs Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for Alibaba Cloud ECS administration, but it handles powerful cloud credentials and can make outage, data-loss, and public firewall changes with weak built-in safeguards.

Install only if you intend OpenClaw to administer Alibaba Cloud ECS resources. Use a dedicated RAM user with minimal permissions, avoid pasting long-lived AccessKey secrets into logged chat or shell commands, rotate any exposed keys, and verify ~/.aliyun/config.json permissions. Require exact region/resource IDs and explicit confirmation before stop, restart, snapshot rollback, deletion, or security-group changes, and always provide a restrictive CIDR instead of relying on the default.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Description-Behavior Mismatch

High
Confidence
87% confidence
Finding
The code exposes snapshot rollback, which is a destructive disk reset capability, but this powerful restore action is not reflected in the skill description. Hidden destructive functionality increases the chance that users or higher-level agents invoke an operation with severe data-loss consequences without appropriate scrutiny.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The README provides examples for security-sensitive and destructive operations such as stopping/restarting instances and modifying security group rules without any warning, approval step, or note about production impact. In an agent skill context, this can normalize unsafe automation patterns and increase the chance that users or downstream agents perform disruptive actions without adequate confirmation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly asks the user to paste AccessKey ID and AccessKey Secret into the interaction and then uses them on a command line to create local configuration. Requesting long-lived cloud credentials in plain chat is dangerous because they may be logged, retained in history, exposed to other tools, or leaked via process arguments and shell history. In cloud administration context, compromise of these secrets can lead to broad account abuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents destructive and high-impact actions such as stopping/restarting instances, modifying security groups, deleting snapshots, and rolling back snapshots, but the warnings are lightweight and not prominent where commands are shown. In an infrastructure operations skill, these actions can cause outages, data loss, or unintended internet exposure if invoked casually or through misunderstanding.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script accepts `--access-key-id` and `--access-key-secret` on the command line, which exposes secrets through shell history, process listings, audit logs, and CI job output. Because these are cloud credentials for Alibaba Cloud ECS, leakage could enable unauthorized access to cloud resources.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes `accessKeyId` and `accessKeySecret` to `~/.aliyun/config.json` in plaintext without clearly disclosing this behavior beforehand. Even with `chmod 600`, plaintext long-lived credentials on disk increase the risk of theft from backups, local compromise, malware, or accidental inclusion in support bundles.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill exposes start, stop, and reboot operations that directly alter service availability without any built-in confirmation, dry-run, or policy guardrails. In an agent context, ambiguous or manipulated user input could cause unintended downtime for production systems.

Missing User Warnings

High
Confidence
98% confidence
Finding
Resetting a disk to a snapshot is a destructive state-changing operation that can overwrite current data, yet this function performs it immediately with no confirmation or safety checks. In a cloud admin skill, this creates significant risk of irreversible data loss from prompt mistakes or malicious instruction injection.

Missing User Warnings

High
Confidence
99% confidence
Finding
Security group modification functions execute immediately and default the source CIDR to 0.0.0.0/0, which can unintentionally expose services to the entire internet. In an agent skill, this default materially increases the chance that a vague request opens broad inbound access and creates remote attack surface.

Missing User Warnings

High
Confidence
98% confidence
Finding
Snapshot rollback directly calls a disk reset operation without any confirmation prompt, irreversible-action warning, or safety interlock. In an infrastructure management skill, this can cause immediate service disruption and data loss if triggered accidentally or through ambiguous agent/user instructions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Security-group rule creation defaults the source CIDR to 0.0.0.0/0, which opens the selected port to the public internet if the caller omits --cidr. In a cloud administration tool, insecure-by-default network exposure materially increases attack surface and can lead to unauthorized access to exposed services.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.