cloud-doc-intelligent-assistant
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears aligned with its stated purpose of fetching public cloud documentation, but users should notice its network access, local storage, optional webhooks, and monitoring behavior.
Before installing, confirm you want this skill to fetch public cloud docs, store local SQLite/cache/log/notification files, and optionally post webhook notifications. Use isolated installation, keep monitoring limits reasonable, and protect any webhook URLs you configure.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may fetch and store documentation automatically for broad cloud-related questions.
The skill instructs the agent to invoke it broadly whenever a supported cloud vendor is mentioned. This is relevant to the skill purpose, but it is a strong tool-selection instruction.
用户提问提到阿里云、腾讯云、百度云、火山引擎中任意一个 → 必须调用此 skill
Use this behavior for documentation tasks, but prefer confirmation before bulk fetching, monitoring, or notification workflows.
The skill can make web requests, create/update a local database, write logs, and generate notification files.
The skill discloses outbound network access and local file writes. These capabilities are expected for a documentation crawler and monitor, but they are still material behaviors users should understand.
permissions:\n network:\n outbound:\n - https://help.aliyun.com/*\n - https://cloud.tencent.com/*\n - https://cloud.baidu.com/*\n - https://www.volcengine.com/*\n filesystem:\n write:\n - data/*.db\n - logs/*.log\n - notifications/*.md
Keep request limits reasonable, review max_pages and monitoring settings, and run it in a directory where these local files are expected.
If configured, the skill can use webhook URLs to post monitoring notifications to external systems.
The skill reads optional webhook-related environment variables. Webhook URLs often contain credential-like tokens, although this use is disclosed and aligned with notifications.
environment:\n read:\n - AIFLOW_WEBHOOK_URL\n - RULIU_WEBHOOK_URL\n - CLOUD_DOC_MONITOR_LOAD_DOTENV
Use dedicated low-privilege webhook URLs, avoid sharing them, and do not enable .env loading unless you intend this skill to read local environment configuration.
Installation may bring in third-party Python dependencies and local package code.
The skill documents manual pip installation even though the registry install spec is absent. This is common for Python projects but means users should review the local package and dependencies before installing.
pip install .\n# 或开发模式\npip install -r requirements.txt
Install in an isolated Python environment and consider pinning dependencies if reproducibility is important.
Public web documentation becomes persistent local context and may later be used by the client model; returned content should be treated as untrusted data, not instructions.
The skill stores fetched external documentation locally and returns raw document content to the calling model for summarization or comparison.
fetch_doc + doc_ref 逐篇抓取 → 存入本地 SQLite ... compare_docs 获取两侧文档原始内容 → 返回给调用方
Have the caller label fetched documentation as untrusted source text and manage local database/cache retention according to user preference.
Monitoring can perform repeated/bulk checks and may send notifications after it is started.
The skill includes a monitoring mode with scheduled operation and optional notifications. This is disclosed and purpose-aligned, but it is more autonomous than a one-off fetch.
run_monitor\n description: 从本地数据库读取已存储文档,批量重新抓取检测变更,可推送通知\n parameters:\n mode: 巡检模式(check_now/scheduled)
Use check_now for one-time checks, and enable scheduled monitoring only when ongoing background-style behavior is intended.