Generated source template injection
Critical
- Finding
- User-controlled placeholder is embedded directly into generated source code.
Alibabacloud Openclaw Ecs Dingtalk
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent cloud-deployment skill, but it uses powerful Alibaba Cloud permissions to create billable resources, run remote setup commands, and handle API and DingTalk secrets.
Install only if you intend to let the agent deploy cloud infrastructure on Alibaba Cloud. Use a dedicated RAM user or role with the custom least-privilege policy, avoid FullAccess in production, review costs for ECS/EIP resources, verify any external plugins before installation, and rotate or revoke Bailian and DingTalk credentials when the deployment is no longer needed.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI02: Tool Misuse and Exploitation
Medium
What this means
The agent may create, configure, and modify cloud resources on the user's behalf, including operations that can affect availability or cost.
Why it was flagged
The skill directs the agent to orchestrate cloud APIs and Cloud Assistant commands. This is expected for deploying an ECS-hosted service, but it is powerful automation that should stay user-directed.
Skill content
Execute steps in order; verify success after each step; inform user of current step ... Cloud Assistant `RunCommand` results: poll `DescribeInvocations` every 15+ seconds
Recommendation
Use a dedicated RAM user or role, review the planned commands before execution, and confirm region, instance size, network exposure, and cleanup steps.
#
ASI03: Identity and Privilege Abuse
Medium
What this means
If granted, these permissions can create billable infrastructure, run commands on ECS instances, and create reusable model-service credentials.
Why it was flagged
The documented least-privilege policy still grants broad cloud actions across resources, including instance creation/deletion, remote command execution, public IP allocation, and Bailian API key creation.
Skill content
"ecs:RunInstances", "ecs:DeleteInstance", "ecs:RunCommand" ... "vpc:AllocateEipAddress" ... "modelstudio:CreateApiKey" ... "Resource": "*"
Recommendation
Prefer the custom policy over FullAccess, scope by region/resource where Alibaba Cloud supports it, monitor spending, and revoke or rotate generated API keys when no longer needed.
#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means
A changed or compromised upstream plugin could affect the deployed bot service.
Why it was flagged
The workflow depends on an external OpenClaw plugin, and the provided reference does not pin a specific package version or include package provenance details.
Skill content
Confirm the OpenClaw DingTalk plugin is installed (`openclaw plugins install @dingtalk-real-ai/dingtalk-connector`)
Recommendation
Install plugins from trusted sources, verify package identity and version, and prefer pinned versions or checksums where available.
#
ASI05: Unexpected Code Execution
Medium
What this means
Commands run through Cloud Assistant can install software and change the ECS instance configuration.
Why it was flagged
The skill's deployment model includes Cloud Assistant remote command execution on the ECS instance. This is central to server setup, but it is still remote code execution under the user's cloud authority.
Skill content
"ecs:RunCommand" | "ecs:RunCommand" | Execute remote commands
Recommendation
Review remote setup commands, run only on a dedicated instance, and avoid reusing the same instance for unrelated sensitive workloads.
#
ASI07: Insecure Inter-Agent Communication
Low
What this means
DingTalk messages sent to the bot may be processed by the deployed OpenClaw service and the configured model provider.
Why it was flagged
The skill intentionally bridges DingTalk group messages, a hosted OpenClaw service, and Bailian model access. This is expected, but it creates a multi-service communication path for user messages and bot credentials.
Skill content
connect to a DingTalk group via a DingTalk bot, enabling users to chat with AI directly in DingTalk
Recommendation
Use the bot only in appropriate groups, protect the DingTalk Client Secret, restrict who can add or message the bot, and confirm any webhook or message-receiving endpoint is configured securely.