Alibabacloud Cfw Exposure Detection
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent read-only Alibaba Cloud Firewall exposure audit, but it will use the local Aliyun CLI profile and may install or update Aliyun CLI components, so users should confirm their profile and setup before running it.
Install only if you intend the agent to query Alibaba Cloud Firewall using your local Aliyun CLI profile. Use a read-only RAM user or role, confirm the active profile and region first, and review any CLI installer or plugin-update commands before allowing them to run.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the agent may immediately query Alibaba Cloud Firewall data from the configured local CLI account.
The skill directs the agent to invoke local CLI/API commands automatically when used. This is aligned with the read-only cloud exposure audit purpose, but it reduces the chance for an extra confirmation step.
The ONLY way to get data is by running `aliyun cloudfw ...` CLI commands ... Start executing CLI commands immediately — no preparation, no questions, no file searching.
Before using it, confirm the active Aliyun CLI profile and region are the account you intend to audit.
The audit can reveal public IPs, ports, firewall status, vulnerabilities, events, and ACL information available to the configured Alibaba Cloud identity.
The skill depends on existing local Alibaba Cloud credentials. The artifacts include credential-safety rules and do not instruct printing raw secrets, but the cloud account profile still determines what data can be accessed.
Alibaba Cloud Credentials Required ... `aliyun configure list` ... Check the output for a valid profile (AK, STS, or OAuth identity).
Use a least-privilege RAM user or role with the documented read-only Cloud Firewall permissions, rather than a root or broadly privileged account.
Local Aliyun CLI components or plugins may be installed or updated before the audit runs.
The setup guidance may execute a remote installer and update Aliyun CLI plugins. This is related to making the Alibaba CLI integration work, but it introduces normal supply-chain risk from downloaded tooling and plugin updates.
run `curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash` to install/update ... [MUST] run `aliyun configure set --auto-plugin-install true` ... [MUST] run `aliyun plugin update`
Prefer installing Aliyun CLI through trusted package managers where possible, verify the source, and review plugin-update behavior before allowing automated setup.
If the cleanup command is not run, Aliyun CLI AI-mode could remain enabled after the task.
The skill temporarily changes Aliyun CLI AI-mode settings and includes a cleanup instruction. This is disclosed and scoped to the CLI integration, but it is still a local persistent configuration if cleanup fails.
Run the following commands before any CLI invocation: `aliyun configure ai-mode enable` ... `aliyun configure ai-mode set-user-agent ...` ... Before delivering the final response for ANY reason, always disable AI-mode first.
After use, you can manually run `aliyun configure ai-mode disable` to ensure the CLI setting is reverted.