ClawHub

Alibabacloud Agentbay Aio Skills

v0.0.1

Execute code in a secure cloud sandbox via AgentBay SDK. Use this skill whenever users request to run, execute, or evaluate code (Python, JavaScript, R, Java...

0· 36·0 current·0 all-time
byalibabacloud-skills-team@sdk-team

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sdk-team/alibabacloud-agentbay-aio-skills.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Alibabacloud Agentbay Aio Skills" (sdk-team/alibabacloud-agentbay-aio-skills) from ClawHub.
Skill page: https://clawhub.ai/sdk-team/alibabacloud-agentbay-aio-skills
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install alibabacloud-agentbay-aio-skills

ClawHub CLI

Package manager switcher

npx clawhub@latest install alibabacloud-agentbay-aio-skills
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the implementation: the script uses an AgentBay SDK (wuying-agentbay-sdk), contacts AgentBay endpoints, and implements remote code execution patterns. No unrelated cloud credentials or unrelated binaries are requested.
Instruction Scope
SKILL.md directs the agent to always use scripts/run_code.py and never run user code locally (coherent with a remote-sandbox design). It also prescribes injecting a matplotlib/CJK preamble that runs apt-get inside the sandbox when CJK characters are detected — this will cause package installs inside the remote environment and is explicitly intended for correct rendering. This behavior is within the stated purpose but notable: it causes network/package operations in the sandbox and forcibly modifies the executed code (preamble injection).
Install Mechanism
No install spec is provided (instruction-only), and the only declared dependency is the AgentBay SDK (pip install wuying-agentbay-sdk). There are no downloads from unknown URLs or extract steps in the skill package itself.
Credentials
The script optionally uses AGENTBAY_API_KEY or a config file at ~/.config/agentbay/api_key (or Windows equivalent). Requesting an API key and reading a service-specific config file is proportionate to a remote-execution skill; no unrelated secrets are requested.
Persistence & Privilege
The skill is not always-enabled, uses normal autonomous invocation defaults, and does not request system-wide persistence or modify other skills' configs. It reads a single service-specific config file for the API key (expected).
Assessment
This skill appears to do what it claims: it sends code to an Alibaba/AgentBay sandbox via the AgentBay SDK and expects an AgentBay API key (file or AGENTBAY_API_KEY). Before installing/using it, consider: 1) Code you run will be transmitted to the remote AgentBay service — do not send secrets or private data unless you trust the service and its tenancy policy. 2) The runner will automatically inject a matplotlib/CJK preamble that runs apt-get inside the sandbox when needed — this causes network/package installs inside the remote environment (not your local host). 3) The script reads an API key from ~/.config/agentbay/api_key if present; protect that file and the AGENTBAY_API_KEY environment variable as you would any credential. 4) If you need to verify the SDK, consider auditing the wuying-agentbay-sdk package source from the PyPI mirror you plan to use. Overall the skill is coherent with its stated purpose; review privacy and credential handling policies for the remote sandbox before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk971a2rba44sn9g7a5dwesd96x85p5tz
36downloads
0stars
1versions
Updated 15h ago
v0.0.1
MIT-0
alibabacloud-skills-team@sdk-team
latest
Download

AgentBay AIO Skill

How It Works

This skill runs user code in a remote sandbox (not locally) via AgentBay SDK. The entry script scripts/run_code.py handles sandbox creation, code execution, and result parsing automatically.

# Basic execution
python scripts/run_code.py --code "<user_code>" --language python

# Execute from file
python scripts/run_code.py --code-file /path/to/file.py --language python

# Structured JSON output (use this when writing results to files)
python scripts/run_code.py --code "<user_code>" --language python --json

Supported languages: python, javascript, r, java (case-insensitive). Timeout: 60 seconds max (--timeout-s).

Prerequisites

DependencyVersionPurpose
Python>= 3.8Runtime
wuying-agentbay-sdk>= 1.0.0AgentBay SDK for sandbox code execution

Setup

The script requires wuying-agentbay-sdk installed locally. Install it before first use:

pip install wuying-agentbay-sdk

This is the skill's own required dependency — installing it is not a security concern. If run_code.py fails with ModuleNotFoundError: No module named 'agentbay', install the SDK and retry.

Network domains used: agentbay.aliyuncs.com (API endpoint), agentbay.console.aliyun.com (console), mirrors.aliyun.com (PyPI mirror).

API Key Configuration

Run scripts directly without prompting for API Key configuration. Only guide users when the script explicitly reports "Missing API key":

  1. Apply at AgentBay Console
  2. Save to config file: ~/.config/agentbay/api_key (macOS/Linux) or %USERPROFILE%\.config\agentbay\api_key (Windows)

Execution Rules

CRITICAL: All user code MUST run through scripts/run_code.py — NEVER execute code directly in the local terminal (e.g., python -c, node -e, timeout ... python). This applies even if run_code.py fails on the first attempt.

  • If run_code.py fails with a transient error, retry once before reporting failure.
  • If run_code.py fails with "Missing API key" or ModuleNotFoundError, guide the user to fix the issue (see Setup / API Key Configuration) and retry — do NOT fall back to local execution.
  • NEVER run user code locally as a fallback. Report the error instead.

Do not install packages other than wuying-agentbay-sdk, and do not create virtual environments. The sandbox has its own package environment — the Agent should not attempt to modify it from outside.

Output Handling

Standard output: Exit code 0 = success, results in stdout. Non-zero = failure, error in stderr.

Structured output (--json): Returns { success, result, logs: { stdout, stderr }, error_message }.

Writing results to files: Use --json mode and extract only the result field to write to the target file. This ensures SDK metadata (such as session identifiers or internal request IDs) is not accidentally included in output files, because the raw non-JSON output may contain SDK log lines mixed with actual results.

Reporting results: Quote the script's original output directly. Do not infer, abbreviate, or recalculate values — if output is long, clearly indicate omitted portions but keep quoted values verbatim.

File Download Validation

When saving files generated in the sandbox (e.g., chart images) to the local environment:

  1. Use --json mode and extract the base64 content with Python (json module) — do NOT use shell tools (grep/sed/awk) to extract base64 strings, as they truncate long strings.
  2. Decode with: python -c "import base64,json,sys; d=json.load(sys.stdin); open('out.png','wb').write(base64.b64decode(d['result']))" < output.json
  3. Verify the saved file: size > 0 bytes; for images (PNG/JPEG), check magic bytes (89 50 4E 47 / FF D8 FF).
  4. For chart images, file size should be > 5 KB. A file under 5 KB almost certainly indicates truncated data — re-extract and re-decode.

If verification fails, retry the download. Do not report success with a corrupted file.

Chinese/CJK Character Rendering

The script (run_code.py) automatically handles CJK font configuration for matplotlib code — it detects Chinese/Japanese/Korean characters in user code and injects font installation and configuration before execution. No manual font setup is needed.

When the user's code contains Chinese characters AND uses matplotlib/plt, the Agent should proactively prepend the following font installation block in the --code argument on the first execution (not as a retry), because the sandbox may lack CJK fonts and the script's auto-detection provides a safety net but explicit installation is more reliable:

import subprocess
subprocess.run(['apt-get', 'update', '-qq'], capture_output=True)
subprocess.run(['apt-get', 'install', '-y', '-qq', 'fonts-wqy-microhei'], capture_output=True)
import matplotlib
import matplotlib.font_manager as fm
fm.fontManager.addfont('/usr/share/fonts/truetype/wqy/wqy-microhei.ttc')
fm.fontManager = fm.FontManager()
matplotlib.rcParams['font.family'] = 'WenQuanYi Micro Hei'
matplotlib.rcParams['axes.unicode_minus'] = False

This proactive approach avoids the undetectable failure where Chinese characters render as blank boxes (tofu) in the generated image — since tofu appears only visually in the image and produces no text-based warning in stdout, a retry-based approach cannot reliably detect the problem.

Information Security

Do not output internal environment variable names, API Key values, or SDK debug details in conversation replies. When executing scripts, use --json mode and display only the result and error_message fields to users. The raw SDK output may contain internal fields (session identifiers, request IDs, access credentials) that should not be exposed to users or written to output files.

Comments

Loading comments...