Alibabacloud Data Agent Skill
WarnAudited by ClawScan on May 18, 2026.
Overview
This appears to be a real Alibaba Cloud data-analysis skill, but it needs review because it requests broad cloud/database authority and includes background monitoring plus unsafe-looking report download path handling.
Before installing, review the code and requirements, use a dedicated least-privilege Alibaba Cloud account, avoid auto-confirming SQL, disable heartbeat/background notifications unless explicitly needed, and periodically delete or secure local session/report files.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill may let the agent enumerate DMS resources, create/update Data Agent sessions, import tables, and analyze enterprise database contents under the user's Alibaba Cloud identity.
The skill relies on local/cloud credential sources and recommends broad Alibaba Cloud DMS/Data Agent permissions, while the registry metadata declares no primary credential. This is high-impact access to enterprise database resources.
The Skill uses Alibaba Cloud SDK's default credential chain ... supporting environment variables, configuration files, instance roles, etc. ... RAM users need `AliyunDMSFullAccess` or `AliyunDMSDataAgentFullAccess` permissions.
Use a dedicated least-privilege RAM user, avoid full DMS access where possible, restrict region/resources, prefer read-only database access, and verify every requested action before running analysis.
If a report filename is malicious or malformed, a downloaded report could be written outside the intended `sessions/<id>/reports` folder.
Report filenames returned by the provider are joined directly into a local output path. The shown call site does not sanitize absolute paths or `..` path segments before writing the downloaded file.
save_path = report_dir / (rf.filename or f"{rf.file_id}.bin") ... file_manager.download_from_url(rf.download_url, str(save_path))Sanitize report filenames with a basename-only allowlist, reject absolute or parent-directory paths, and verify the resolved output path stays under the report directory before writing.
The agent could continue monitoring analysis sessions and send database-analysis progress or report content after the initial request, possibly in channels the user did not explicitly approve for that session.
The heartbeat asset tells an agent to autonomously scan all session directories, read progress/reports/errors, and push updates through messaging channels, which is broader and less user-visible than the main SKILL.md workflow.
当 HEARTBEAT 触发时 ... 扫描目录:`dms-data-agent/sessions/*` ... 使用 send_message tool 或当前 channel(如 Telegram/WhatsApp)推送 ... 优先使用 isolated agentTurn 执行检查
Require explicit opt-in for heartbeat monitoring, bind it to a specific session and approved channel, and disable or remove the heartbeat behavior if continuous notifications are not needed.
If the user chooses this option, later SQL generated during the session may run without individual review.
The CLI presents an optional user-directed path to skip future per-SQL confirmations in a session. It is disclosed, but it is risky for enterprise databases.
To agree to execute all subsequent SQL automatically: ... attach --session-id {session_id} -q '同意后续所有SQL执行'Keep the default confirmation flow for production data, use read-only/test database accounts, and avoid automatic SQL approval unless the analysis scope is well understood.
Sensitive business questions, database-derived summaries, SQL plans, and generated reports may remain on disk and be reused in later session attachments.
The skill intentionally stores progress logs, reports, and reusable session context under local session directories.
cat sessions/abc123xyz/progress.log ... Download generated reports ... Benefits of Reuse: ... Preserve context history
Store the skill directory securely, avoid mixing unrelated users or datasets in reused sessions, and delete `sessions/` content and downloaded reports when no longer needed.