Alibabacloud Hologres Instance Manage
v0.0.1Alibaba Cloud Hologres Instance Management Skill. Use for listing and querying Hologres instances. Triggers: "hologres", "list instances", "get instance deta...
⭐ 0· 38·0 current·0 all-time
byalibabacloud-skills-team@sdk-team
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the runtime instructions: the skill is limited to listing and getting Hologres instances via the Aliyun CLI (hologram API). One minor inconsistency: the registry metadata lists no required binaries, but the SKILL.md assumes the Aliyun CLI (aliyun) is present or will be installed — the skill should have declared aliyun as a required binary.
Instruction Scope
SKILL.md stays within scope (only lists/queries instances). It enforces not to read or echo AK/SK and to rely on Alibaba Cloud's default credential chain. However, the documentation includes explicit examples of using `aliyun configure set` with literal credentials (in the installation/reference docs) even though the SKILL.md states the skill MUST NOT handle AK/SK — this is a documentation inconsistency the author should fix. The runtime commands do not instruct reading unrelated files or exfiltrating data.
Install Mechanism
There is no formal install spec (instruction-only), which is low-risk, but SKILL.md suggests installing the Aliyun CLI by piping a remote script (curl https://aliyuncli.alicdn.com/install.sh | bash). The URL is an official Alibaba CDN, but download-and-pipe is a risky pattern; users should prefer package-managed installs (brew, distro packages, or verified binaries) and verify the script before running.
Credentials
The skill declares no required environment variables or primary credential and relies on the cloud provider's default credential chain (AK, STS, ECS RAM role, or RamRoleArn) — this is appropriate for the described functionality. The reference docs do show environment variable and `configure set` examples (which are normal for users configuring their environment), but the skill's runtime instructions explicitly avoid handling credentials.
Persistence & Privilege
The skill is not marked always:true, is user-invocable, and has no install/spec that writes persistent non-skill config. It does not request elevated or cross-skill privileges and does not modify other skills' configs.
Assessment
This skill is coherent with its stated purpose, but review a few things before installing and running: 1) The skill expects the aliyun CLI—verify that the metadata declares this or ensure you have aliyun installed. 2) SKILL.md suggests running curl https://aliyuncli.alicdn.com/install.sh | bash; prefer installing via your OS package manager (brew/apt) or download the official binary and inspect it instead of piping to shell. 3) The skill correctly avoids handling AK/SK in-session, but the reference docs include examples of `aliyun configure set` with explicit keys — never paste your secret keys into a conversation with the agent; configure credentials locally and securely. 4) Apply least-privilege RAM policies (scope hologram:GetInstance/ListInstances to required resources). 5) If you want stricter control, confirm whether the agent will invoke the skill autonomously in your environment and, if necessary, restrict autonomous invocation or review logs when the skill runs.Like a lobster shell, security has layers — review code before you run it.
latestvk975tnky1k64kqfr6fgyqbv9hd842ghv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.