ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alibabacloud Bailian Rag Knowledgebase

v0.0.1

Alibaba Cloud Bailian Knowledge Base Retrieval Tool. Use Alibaba Cloud Bailian SDK to query and retrieve knowledge base content. Use when: User needs to quer...

0· 4·0 current·0 all-time
byalibabacloud-skills-team@sdk-team
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual code: scripts call Bailian and ModelStudio SDKs to list workspaces/indices and retrieve documents. No unrelated services or binaries are requested.
Instruction Scope
SKILL.md instructs running provided scripts, installing npm dependencies, and configuring Alibaba Cloud credentials via the default credential chain. The scripts only access Alibaba Cloud endpoints and local credential/config files (~/.aliyun/config.json or ~/.acs/credentials) which is expected for this purpose.
Install Mechanism
There is no formal install spec in the registry (instruction-only), and SKILL.md tells users to run `npm install`. The repository manifest does not include package.json, so the 'npm install' instruction is inconsistent with the provided files — users will need to ensure the necessary packages are installed. No downloads from untrusted URLs or extract operations are present.
Credentials
The skill does not declare required env vars but uses Alibaba Cloud's default credential chain (CLI config files or env vars) and requires RAM permissions (documented). Requesting access to the user's Alibaba Cloud credentials is proportionate to the skill's function, but the registry metadata could be clearer about the primary credential requirement.
Persistence & Privilege
Skill is not always-enabled, does not request elevated platform privileges, and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other concerning behaviors.
Assessment
This skill appears to do what it claims (query Bailian knowledge bases). Before installing or running it: (1) Confirm you trust the source — the package metadata lacks a package.json in the manifest, so review or create a package.json listing the dependencies before running `npm install`. (2) Use a least-privilege RAM user: grant only required Bailian/ModelStudio permissions rather than root-level credentials. (3) Prefer using the Alibaba Cloud CLI or config files (default credential chain) rather than pasting AccessKey/SecretKey into other places. (4) Run the scripts in a safe environment and review the scripts (they only call Alibaba Cloud SDKs and validate inputs). If you need higher assurance, request a signed release or an explicit package.json from the publisher.
scripts/check_env.js:44
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bxgseb7wea61mf875eehg4s84g80b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments