Alibabacloud Network Ga Deploy Acceleration
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill matches its Alibaba Cloud GA deployment purpose, but it should be reviewed because it uses high-impact Alibaba Cloud credentials and its setup guide can encourage unsafe access-key handling.
Install only if you are comfortable letting the agent help operate Alibaba Cloud GA resources. Configure Alibaba Cloud credentials outside the chat, use a dedicated least-privilege RAM profile, inspect every Aliyun CLI command before execution, and explicitly confirm any service activation, AutoPay creation, update, or deletion.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed, a user could accidentally disclose Alibaba Cloud access keys to the agent session or local command history, giving broad account access to anyone who obtains them.
This reference encourages passing Alibaba Cloud access keys and secrets as command-line arguments in agent-driven automation. That conflicts with the safer SKILL.md authentication rule to avoid handling AK/SK values in-session and could expose secrets in chat, shell history, or logs.
aliyun configure set \ --mode AK \ --access-key-id <your-access-key-id> \ --access-key-secret <your-access-key-secret> \ --region cn-hangzhou All `aliyun configure` commands support non-interactive flags, which is the recommended approach — it works in scripts, CI/CD pipelines, and agent-driven automation
Do not provide AK/SK values to the agent. Configure credentials out of band, prefer short-lived STS or least-privilege RAM users, and revise the guide so credential examples are clearly manual-only and not agent-run.
The skill can modify or delete GA resources across the account if run with these permissions, potentially affecting production traffic.
The documented least-privilege policy still grants account-wide GA management actions, including service activation, creation, updates, and deletion. This is expected for a GA deployment skill but is high-impact.
"Action": [ "ga:DescribeAcceleratorServiceStatus", "ga:OpenAcceleratorService", "ga:CreateAccelerator", ... "ga:DeleteForwardingRules" ], "Resource": "*"
Use a dedicated Alibaba Cloud profile/RAM user, avoid root credentials, grant only the needed GA permissions, and confirm target account, region, resource IDs, and rollback plan before changes.
Running the deployment can incur Alibaba Cloud charges and alter live network routing or acceleration behavior.
The skill's example workflow creates a pay-as-you-go GA instance with automatic payment. This is aligned with deployment, but it is a paid, mutating cloud action.
aliyun ga CreateAccelerator \ --region cn-hangzhou \ --method POST \ --Name "GA-Acceleration-Example" \ --InstanceChargeType "POSTPAY" \ --BandwidthBillingType "CDT" \ --AutoPay true
Require explicit user confirmation before paid or destructive commands, review generated CLI commands, and consider a dry-run/read-only discovery step before creation or deletion.
Future CLI calls may download and run provider CLI plugins that were not included in this skill review.
The skill instructs enabling automatic Aliyun CLI plugin installation. This is purpose-aligned for Alibaba Cloud product APIs, but it allows runtime installation of CLI plugins outside the reviewed skill artifact.
Then **[MUST]** run the following to enable automatic plugin installation: ```bash aliyun configure set --auto-plugin-install true ```
Install Aliyun CLI/plugins from official sources, verify versions where possible, run in a controlled environment, and disable automatic plugin installation after required plugins are installed if not needed.
A user may underestimate the account access and local CLI setup needed before reading the full skill instructions.
The registry metadata does not declare the Aliyun CLI or Alibaba Cloud credential dependency, even though the skill documentation requires both. The SKILL.md does disclose them, so this is a metadata under-disclosure rather than hidden behavior.
Required binaries (all must exist): none Required env vars: none Primary credential: none
Update metadata to declare the Aliyun CLI dependency and Alibaba Cloud credential/profile requirement.