Alibabacloud Emr Spark Manage
WarnAudited by ClawScan on May 18, 2026.
Overview
This is a coherent Alibaba Cloud Spark management skill, but it can use broad cloud credentials to create paid resources and change access while the registry does not clearly declare that credential boundary.
Install only if you intend the agent to manage Alibaba Cloud EMR Serverless Spark resources. Verify the publisher, use a dedicated least-privilege RAM identity, avoid broad FullAccess where possible, confirm all billing/public-endpoint/token/IAM changes, and review CLI installer/plugin settings before running setup commands.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with broad credentials, the agent could create or remove cloud services, manage tokens, and change workspace membership or roles.
The documented permission set includes administrator-style resource management and access-management actions, not just Spark job submission.
AliyunEMRServerlessSparkFullAccess ... Administrator permissions, includes all operations ... emr-serverless-spark:CreateWorkspace ... emr-serverless-spark:DeleteKyuubiService ... emr-serverless-spark:AddMembers ... emr-serverless-spark:GrantRoleToUsers
Use the narrowest RAM policy that fits the task, avoid FullAccess unless truly needed, and require explicit approval before any IAM, membership, token, public endpoint, or deletion operation.
The agent may act with the permissions of an existing Alibaba Cloud profile, environment variable, or instance role, potentially broader than the user intended.
The skill will operate using whatever Alibaba Cloud credentials the local environment exposes; the supplied registry requirements list no primary credential, which under-declares the account authority involved.
Supports Alibaba Cloud default credential chain, including environment variables, configuration files, instance roles, etc.
Before installing, configure a dedicated least-privilege Alibaba Cloud identity for this skill and verify which credential source the CLI will use.
A mistaken or overbroad command could create billable cloud resources or subscriptions.
Workspace creation can select paid billing modes and automatic payment; this is purpose-aligned but financially impactful.
paymentType ... `PayAsYouGo` ... or `Subscription` ... `autoPayOrder` ... Whether to auto-pay order
Confirm region, payment type, CU size, workspace name, and whether auto-pay is enabled before allowing create or scale operations.
Submitted jobs can process data, access OSS/DLF through the job role, consume compute, and write outputs.
The skill submits Spark JAR, Python, or SQL workloads for execution in Alibaba Cloud, which is expected for EMR Spark management but still executes user-selected code under a cloud job role.
"entryPoint": "oss://my-bucket/jars/my-app.jar" ... "sparkSubmitParameters": "--class com.example.MyApp ..."
Review every job entry point, OSS path, Spark parameter, and job role before submission; keep the documented explicit confirmation step.
Installing or updating the CLI/plugins could run code from Alibaba's distribution channel and change the user's local CLI environment.
The setup guidance uses a remote shell installer and enables automatic CLI plugin installation; this is disclosed and related to the Aliyun CLI workflow, but it depends on external code provenance.
run `curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash` ... run `aliyun configure set --auto-plugin-install true` ... run `aliyun plugin update`
Install the Aliyun CLI from an official verified source, review the installer where practical, and understand that auto-plugin-install is a persistent CLI setting.
A Kyuubi service or session cluster left running may continue to cost money or expose an endpoint until stopped.
The skill can create long-running cloud services that persist and consume resources after the immediate interaction.
Kyuubi service consumes resources continuously while running, recommend stopping when not in use
Track created services, stop them when finished, avoid public endpoints unless needed, and periodically review active EMR Serverless Spark resources.