ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alibabacloud Migrate

v0.0.1-beta.1

Assess and migrate workloads from AWS to Alibaba Cloud. Follows a 4-phase methodology: Phase 1 (source architecture assessment), Phase 2 (migration plan gene...

0· 19·0 current·0 all-time
byalibabacloud-skills-team@sdk-team
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (assess and migrate AWS workloads to Alibaba Cloud) matches the provided scripts and docs — they enumerate AWS resources and use Alibaba CLI/Terraform for deployment. However, the registry metadata declares no required env vars / credentials while the SKILL.md and scripts explicitly require AWS credentials for Phase 1 and Alibaba Cloud credentials for Phase 3. That mismatch (metadata says 'none', runtime requires IAM/AK/SK or configured CLI profiles) is an incoherence worth flagging.
Instruction Scope
SKILL.md instructs the agent (and operator) to run the included aws-scan-region.sh and aws-scan-enrich.sh scripts which perform extensive discovery (IAM policies, Lambda policies, S3 buckets, RDS, EKS, etc.). This breadth is consistent with a migration assessment, and the SKILL.md contains explicit 'STOP' checks and a rule not to print AK/SK. Still, the instructions will produce and store detailed inventory files (potentially containing resource IDs, IPs, policy text) and in some places show CLI examples that include credentials as placeholders — users must avoid pasting secrets into logs or chat.
Install Mechanism
No install spec; this is essentially an instruction-based skill with bundled scripts and reference docs. There is no remote download/install step in the registry metadata, so nothing is pulled from arbitrary URLs at install time. Risk is limited to executing the included scripts locally.
!
Credentials
The operational workflow legitimately requires AWS credentials (read-heavy, many Describe/List/Get operations across many services) and Alibaba Cloud credentials for provisioning and migration actions. Those credentials are not declared in the skill metadata (requires.env empty), creating an information-gap risk for users and tooling. The scripts request broad read permissions across many AWS services (IAM, S3, RDS, Lambda, EKS, CloudFront, etc.) — appropriate for a full inventory but high-sensitivity and should be limited to least-privilege read-only roles and run in an account/role intended for discovery.
Persistence & Privilege
The skill does not request always: true, does not modify other skills or system-wide settings in the manifest, and does not declare autonomous always-on privileges. It will read and write local inventory files when you run the scripts, but there is no built-in persistent agent or automatic background process in the package metadata.
What to consider before installing
This package appears to implement a genuine AWS→Alibaba migration playbook and includes the discovery scripts you'll run locally. Before installing or running anything: 1) Don't trust the registry metadata alone — the SKILL.md requires AWS credentials (or a full manual inventory) and Alibaba Cloud credentials; treat that as normal but verify. 2) Review the bundled scripts (scripts/aws-scan-*.sh and terraform_runtime_online.sh) yourself — they will enumerate many AWS services and write inventory files containing resource IDs, policies, IPs, etc. Run them only from an environment/account intended for discovery (use a least-privilege, read-only IAM role where possible). 3) Never paste AK/SK into chat or public logs; follow the SKILL.md advice to configure credentials locally (aws/aliyun CLI or environment variables) and avoid sending files containing secrets. 4) Because the metadata did not declare required env vars, ensure any automation or CI that consumes registry metadata is updated to prompt for credentials and that you audit outputs for sensitive data before sharing. 5) If you plan to run migration steps that perform writes (Terraform apply, DTS StartMigrationJob, ImportImage), do so in a controlled test account first and ensure billing / IAM policies are prepared. If you want higher assurance, run the discovery scripts in a sandboxed account or provide a manual inventory instead of granting broad read access.

Like a lobster shell, security has layers — review code before you run it.

latestvk974tsaxg9yf1694ct326kjdw984hhnz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments