Skillv0.0.1-beta.2

ClawScan security

Alibabacloud Dataworks Data Quality · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 2:16 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's purpose (read-only DataWorks queries) is plausible, but the manifest omits required binaries/credentials and the runtime instructions encourage remote installs and auto-plugin behavior that broaden the skill's execution surface — these mismatches warrant caution.
Guidance: This skill appears to be what it says (read-only DataWorks queries) but the package metadata is incomplete and the runtime steps include remote installs and CLI plugin auto-installation. Before installing or using it: (1) require the skill author to declare required binaries (aliyun CLI, jq) and required credential presence in the metadata; (2) run any installation commands yourself rather than letting the agent run curl|bash; verify downloads come from the official Alibaba domain and check the installer contents if possible; (3) avoid enabling auto-plugin-install or run `aliyun plugin update` only after reviewing what will be installed; (4) use an identity with minimal read-only RAM permissions shown in references/ram-policies.md (do not use account-level AK/SK); (5) do not paste AK/SK into chat and confirm the skill will never print secrets. If the author cannot address the metadata gaps or justify the auto-plugin/install steps, treat this skill with caution or refuse installation.

Review Dimensions

Purpose & Capability: concernThe SKILL.md clearly requires the aliyun CLI (>=3.3.3) and recommends jq and specific CLI configuration; however the skill metadata lists no required binaries and no primary credential. That omission is an incoherence: querying DataWorks via the CLI legitimately requires a configured Alibaba Cloud credential and the CLI binary, so those should have been declared.
Instruction Scope: concernRuntime instructions direct the agent/operator to run many local CLI commands and to check credential status via `aliyun configure list` (acceptable), but also mandate `aliyun plugin update` and enabling `--auto-plugin-install`. Those actions can cause the CLI to fetch and install plugins (remote code) during normal use. The SKILL.md also includes an explicit curl | bash installer if the CLI is missing. While the commands are targeted at the Alibaba CLI, they expand the scope of what will be executed on the host and give the agent steps that perform remote code retrieval and local configuration changes.
Install Mechanism: concernThere is no formal install spec (instruction-only), but the guidance includes high-risk install patterns (curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash and wget of archives from aliyuncli.alicdn.com). Although these point at the vendor CDN (aliyuncdn/alicdn), curl|bash and archive downloads are remote-execute patterns and should be treated as risky. The SKILL.md also requires plugin update/auto-install which can write files on disk and run code from plugin sources.
Credentials: concernThe skill legitimately needs Alibaba Cloud credentials/configuration to query DataWorks, and the docs instruct verifying credentials via `aliyun configure list`. Yet the manifest declares no required env vars or primary credential. This mismatch reduces transparency. On the positive side, the SKILL.md explicitly warns not to echo/print AK/SK, and the recommended IAM policy is read-only, which is proportionate — but the omission in the metadata is a red flag.
Persistence & Privilege: notealways is false and the skill is user-invocable (normal). However the instructions ask to enable CLI AI-mode, set a skill-specific user-agent, enable auto-plugin-install, and run `aliyun plugin update` — these change local CLI configuration and can persist across sessions, affecting future CLI behavior. That local persistence is not automatically malicious but increases the blast radius if combined with remote installs or untrusted plugins.