Alibabacloud Liverecord Diagnosis
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: alibabacloud-liverecord-diagnosis Version: 0.0.1 The skill bundle is a comprehensive diagnostic tool for Alibaba Cloud ApsaraVideo Live recording issues. It utilizes the official Aliyun CLI to perform read-only operations, such as querying configurations, stream status, and callback records (e.g., `aliyun live describe-live-record-config` in SKILL.md and related-commands.md). The instructions include strong security guardrails, explicitly forbidding the handling or printing of Access Keys and requiring user confirmation for all parameters before execution. No evidence of malicious intent, data exfiltration, or unauthorized execution was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can retrieve live-stream and recording metadata from the Alibaba Cloud account configured in the CLI.
The skill uses the user's Alibaba Cloud identity to query Live recording, stream, configuration, and callback data. This is purpose-aligned and read-only, but it is still account-level cloud access.
Pre-check: Alibaba Cloud Credentials Required ... ONLY use `aliyun configure list` to check credential status ... Required Actions: `live:DescribeLiveDomainMapping` ... `live:DescribeLiveRecordNotifyRecords`
Use a least-privilege RAM user or role with only the listed read-only Live permissions, and do not paste access keys or secrets into the chat.
Setup may change the local Aliyun CLI plugin state and install or update plugins on the user's machine.
The skill depends on installing/updating Alibaba Cloud CLI plugins rather than bundled code. This is expected for the diagnostic purpose, but it pulls executable plugin functionality from the CLI ecosystem.
[MUST] run `aliyun configure set --auto-plugin-install true` ... [MUST] run `aliyun plugin update` ... `aliyun plugin install --names live`
Install the CLI and plugins from trusted Alibaba Cloud sources, review plugin update behavior, and run setup in an environment where CLI changes are acceptable.
Aliyun CLI AI mode and the configured user-agent may remain enabled for future CLI use.
These commands appear to persistently alter Aliyun CLI configuration before diagnostic commands run. No autonomous background behavior is shown, but users should know the setting may remain after the session.
[MUST] Enable AI-Mode ... `aliyun configure ai-mode enable` ... `aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-liverecord-diagnosis"`
If you do not want these settings to persist, review the Aliyun CLI configuration after use and disable or reset AI-mode settings as needed.
A user could accidentally expose long-lived access keys if they copy credential setup commands into a shared terminal transcript or chat.
The reference guide includes direct credential-configuration examples. The main SKILL.md forbids handling AK/SK values in-session, so this appears to be setup documentation rather than intended agent behavior, but it is sensitive.
`aliyun configure set --mode AK --access-key-id <your-access-key-id> --access-key-secret <your-access-key-secret> --region cn-hangzhou`
Follow the stricter main authentication rules: configure credentials outside the agent session, prefer RAM roles or short-lived STS credentials, and never reveal AK/SK values.