Alibabacloud Dlf Manage
ReviewAudited by ClawScan on May 11, 2026.
Overview
This skill appears to be a read-only Alibaba Cloud DLF metadata viewer, but users should notice that it uses existing Alibaba Cloud credentials and has an incomplete dependency/install reference.
Before installing, make sure you are comfortable letting the agent use Alibaba Cloud credentials available in the environment to read DLF metadata. Use a least-privilege read-only RAM identity, verify the dependency installation because the referenced requirements.txt is missing from the supplied files, and avoid querying full table details unless you need schemas or properties.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and invoked, the skill can use your configured Alibaba Cloud identity to list or retrieve DLF metadata that the identity is allowed to read.
The skill is designed to use existing Alibaba Cloud credentials from local or runtime credential sources. This is expected for querying DLF, but it means the agent can act with the permissions available to those credentials.
Use the default credential chain (CredentialClient) to obtain credentials automatically. Supported sources ... Environment variables ... ~/.alibabacloud/credentials ... ECS Instance RAM Role ... OIDC Role ARN
Use a least-privilege RAM role or access key limited to the listed read-only DLF actions, and avoid running it in environments with broader cloud credentials than needed.
A broad read-only policy may reveal catalog names, database names, table names, schemas, owners, properties, and storage paths across accessible DLF resources.
The requested RAM policy is read-only but account/resource-wide for DLF metadata. That scope is coherent with listing catalogs and tables, but it can expose broad data-lake metadata.
"Action": [ "dlfnext:ListCatalogs", "dlfnext:GetCatalog", "dlfnext:GetCatalogById", "dlfnext:ListDatabases", "dlfnext:ListDatabaseDetails", "dlfnext:GetDatabase", "dlfnext:ListTables", "dlfnext:ListTableDetails", "dlfnext:GetTable" ], "Resource": "*"
Grant only the DLF read permissions and data permissions needed for the specific catalogs, databases, or tables the user intends to query whenever Alibaba Cloud supports such scoping.
Installation may fail or require users to choose dependencies manually, reducing reproducibility of the setup.
The supplied file manifest does not include requirements.txt and there is no install spec, so the claimed pinned dependency file cannot be verified from the provided artifacts.
pip install -r requirements.txt ... requirements.txt pins the full transitive dependency closure
The publisher should include the referenced requirements.txt or update the documentation to use a verifiable pinned install command.
The agent may retrieve lists of DLF catalogs, databases, tables, and schema details during user-directed metadata queries.
The script performs DLF SDK API calls and returns results to stdout. These calls are read-only and purpose-aligned, but they can enumerate cloud metadata when valid credentials are present.
resp = client.list_tables(catalog_id, database, request) ... out_paginated(resp.body.tables or [], resp.body.next_page_token)
Confirm the target region, catalog, database, and table before invoking detailed queries, and prefer the documented lightweight list actions when full schema or properties are not needed.