Skillv0.0.2

ClawScan security

Alibabacloud Analyticdb Postgresql Knowledgebase Ops · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 3:16 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (ADBPG knowledge‑base ops) largely matches its instructions, but there are several operational and security inconsistencies — notably a remote curl|bash installation recommendation, automatic plugin installation, instructions that may cause collection/entry of sensitive passwords via chat, and the skill documentation expects cloud credentials but none are declared in the registry metadata.
Guidance: This skill appears to implement what it claims (ADBPG knowledge‑base operations) but contains several operational risks you should review before installing or running it: - Inspect the included Python script (scripts/upload_document_local.py) yourself to verify it uses the SDK default credential chain and does not hardcode or exfiltrate secrets. - Do not run curl | bash install commands from the SKILL.md without reviewing the script contents. Prefer to install the aliyun CLI from your package manager or the official vendor release you trust. - Be cautious about enabling `--auto-plugin-install` or running `aliyun plugin update`: these change your CLI environment and can install third‑party plugins. Consider running commands manually or in an isolated environment first. - The skill asks you to provide manager/namespace passwords; avoid pasting long‑lived secrets into chat. If you must provide credentials, use short‑lived STS tokens or configure credentials locally/outside the agent session as the docs advise. - The skill will create cloud resources if none exist (possible costs). Confirm and approve any resource creation explicitly and ensure the IAM principal has least‑privilege permissions. If you plan to use this skill: run it first in a controlled/test account or sandbox, review and vet the upload script, and avoid enabling any automatic installs or configuration changes until you are comfortable with the commands the skill will execute.

Review Dimensions

Purpose & Capability: noteThe skill's name, description, CLI commands, and RAM policies all align with AnalyticDB PostgreSQL knowledge‑base management (create KBs, upload/search documents, Q&A). However, the registry metadata lists no required credentials/env vars while the SKILL.md clearly requires Alibaba Cloud credentials and CLI configuration; this mismatch is notable but plausibly explained by relying on the CLI/default credential chain rather than environment variables.
Instruction Scope: concernSKILL.md is prescriptive and mostly scoped to KB operations, but contains risky or surprising instructions: (1) it tells the agent to enable 'AI‑mode' in the aliyun CLI and to set a particular user-agent for every command, (2) it instructs to auto-create ADBPG instances (costly infrastructure) by invoking other skills if none exist, and (3) it defines collecting manager/namespace passwords through the conversation (text), which could cause users to provide sensitive secrets in chat. The document also directs running CLI plugin updates and enabling auto-plugin-install, which broadens what the agent will install/execute on the host.
Install Mechanism: concernThere is no formal install spec (instruction-only), but SKILL.md recommends installing the official aliyun CLI via a remote install script (curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash) and enabling automatic plugin installation/update. Pipe-to-shell remote install instructions and auto-plugin installs are high-risk actions (they execute remote code on the user's machine and can pull arbitrary plugins). The included Python helper uses Alibaba Cloud SDK (expected) but the install path is not enforced or sandboxed.
Credentials: concernThe skill legitimately requires Alibaba Cloud credentials and RAM permissions (documented in references/ram-policies.md) and may need OSS permissions for local uploads — these are proportionate to the task. However, the registry metadata declares no required env vars or primary credential even though SKILL.md documents credential usage and environment variables (ALIBABA_CLOUD_*). The mismatch between declared metadata and documented requirements reduces transparency. Also, the skill's guidance to collect passwords in conversation increases risk of secret exposure.
Persistence & Privilege: concernThe skill does not request 'always:true' and is not inherently persistent, but it instructs the operator to change CLI behavior (aliyun configure set --auto-plugin-install true, aliyun plugin update, enabling AI‑mode) which modifies user configuration and can cause persistent changes on the host and allow future automatic plugin installs. It also recommends invoking other skills to auto‑create instances (resource creation with cost) — combined with auto-plugin installs this increases blast radius if run without scrutiny.