ClawHub

Alibabacloud Odps Cost Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Alibaba Cloud MaxCompute cost-analysis helper, but its CLI installation and credential setup guidance should be handled carefully.

Install only if you are comfortable allowing an agent to run scoped Aliyun CLI MaxCompute cost queries against your Alibaba Cloud account. Prefer a dedicated least-privilege RAM user or role, avoid pasting long-lived secrets into command lines, verify installer scripts or use a package manager where possible, and confirm the active CLI profile and region before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide recommends passing long-lived access keys directly on the command line and storing them in the local CLI config, but it does not clearly warn that secrets may be exposed through shell history, process inspection, terminal logging, or local file compromise. In an agent/automation context, this is especially risky because commands may be logged or replayed by orchestration systems, increasing the chance of credential leakage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The environment variable examples show how to export cloud credentials without warning that environment variables are inherited by child processes and can be exposed in CI/CD logs, shared shells, crash reports, or debugging output. Because this skill is intended for cost analysis and likely agent-driven automation, the omission increases the chance that valid cloud credentials are unintentionally propagated beyond the intended scope.

External Script Fetching

High
Category
Supply Chain
Content
**Pre-check: Aliyun CLI >= 3.3.3 required**
> Run `aliyun version` to verify >= 3.3.3. If not installed or version too low,
> run `curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash` to update,
> or see `references/cli-installation-guide.md` for installation instructions.
>
> Then [MUST] run `aliyun plugin update` to ensure that any existing plugins on your local machine are always up-to-date.
Confidence
98% confidence
Finding
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal