Alibabacloud Das Agent
Security checks across malware telemetry and agentic risk
Overview
This skill is purpose-aligned for Alibaba Cloud database diagnostics, but it uses high-impact cloud credentials and provider-side agent tooling without clearly bounded permissions or confirmation controls.
Install only if you are comfortable connecting an AI-driven tool to your Alibaba Cloud database environment. Use a dedicated least-privilege RAM role, start with non-production or read-only diagnostic prompts, monitor paid quota usage, and require explicit human approval before any database, account, or billing-impacting change.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed with broad Alibaba Cloud credentials, the skill may operate with more account authority than the user expects for a chat-based diagnostic tool.
The skill uses cloud account credentials from the default provider chain and cites a broad FullAccess-style permission while also claiming the narrower das:Chat permission, making the actual required authority unclear.
Requires Alibaba Cloud credentials to be available through the default credential chain (AliyunHDMFullAccess permission). ... required_permissions: - "das:Chat"
Use a dedicated least-privilege RAM user or role, prefer the narrowest documented DAS Chat permission where possible, and avoid running it with administrator, broad FullAccess, or production role credentials unless explicitly needed.
A normal troubleshooting request could cause the remote DAS agent to perform cloud/database operations or consume paid service quota without the user understanding the exact underlying actions.
The artifacts show that natural-language prompts are forwarded to a provider-side agent that can orchestrate tools, but they do not clearly define read-only limits, approval requirements, rollback behavior, or containment for management actions.
Diagnose and manage Alibaba Cloud databases through natural language ... DAS Agent internally orchestrates multiple API calls and tool invocations to answer a single question.
Treat this as a high-impact cloud automation tool: ask it to explain intended actions before changes, avoid ambiguous management prompts, and require explicit confirmation for any action that changes resources, settings, data, or billing.
Installing or first-running the skill may fetch and execute Python packages from the package ecosystem, which users may not expect from an instruction-only listing.
The skill runs a local Python helper through uv and installs Python dependencies. The packages are pinned, which reduces risk, but the registry says there is no install spec and no required binaries even though uv is required in SKILL.md.
dependencies = [ "alibabacloud_credentials==1.0.2", "pytz==2025.2", "requests==2.32.5" ]
Review the pinned dependencies, run in an isolated environment if possible, and update registry/install metadata to declare the uv requirement and Python dependency setup.
Database identifiers, SQL snippets, diagnostic outputs, or prior instructions may influence later requests if the same session ID is reused.
The remote DAS service maintains reusable conversation context through a session ID, which is useful for follow-up diagnostics but may also carry prior database context into later turns.
`session` | `session_id` | Server-assigned session ID (always first event). Reuse this ID for multi-turn conversations.
Use fresh sessions for unrelated databases or tasks, and do not include secrets, passwords, or unnecessary sensitive data in prompts.
An agent or script may parse progress or tool output as final answer text if it relies on the documentation rather than the actual delimiters.
This code comment conflicts with SKILL.md's claim that --pipe routes progress/tool-call noise to stderr and writes only the DAS answer to stdout, so automated callers may over-trust the documented output separation.
In PIPE mode, everything goes to stdout in order; answer is wrapped in clear delimiters.
Callers should parse the explicit answer delimiters or use --json mode, and the publisher should correct the documentation/code mismatch.