Skillv0.0.2

ClawScan security

Alibabacloud Oss Manage Metaquery · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 8:14 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions generally match its OSS semantic-search purpose, but there are inconsistencies and a few risky instructions (undeclared credentials, remote install via curl|bash) that you should review before installing.
Guidance: This skill appears to do what it advertises (manage MetaQuery/vector semantic search for Alibaba OSS), but review these before installing or running it: - Credentials: The skill will need Alibaba Cloud credentials (AK/SK, STS, or an ECS RAM role). The registry metadata does not declare those env vars — inspect scripts/credentials.py to see how credentials are loaded and avoid providing secrets in chat. Prefer using least-privilege RAM policies or temporary STS tokens scoped to only the actions listed (oss:DoMetaQuery, oss:GetMetaQueryStatus, oss:GetObject, etc.). - Remote install commands: SKILL.md recommends running `curl ... | bash` to install the Aliyun CLI and pip installing packages. Running remote installers is risky — prefer using package manager releases from official sources, verify checksums, or inspect the remote script before executing it. - Permission scope: If you proceed, create a dedicated RAM user or role with the minimal permissions described in references/ram-policies.md, not long-term root credentials. - Inspect code locally: Because the skill ships Python scripts, review credentials.py, validation.py, and any network calls to confirm there are no hardcoded endpoints or unexpected data exfiltration. Confirm that the scripts do not log or print your AK/SK (SKILL.md says 'NEVER' but you should verify). - Test in sandbox: Run the workflow in a non-production account or isolated environment first (or with temporary STS credentials) to confirm behavior. If you want, I can: - Summarize what credentials.py and validation.py do (I can open those files and extract the relevant lines), - Produce the exact least-privilege RAM policy JSON to use for testing, - Or walk you through safely performing the local install steps (verifying downloads and avoiding piping remote scripts directly to bash).

Review Dimensions

Purpose & Capability: noteThe name/description (OSS AI Content Awareness / MetaQuery) matches the included scripts (create_bucket, open_metaquery, semantic_query, upload, close_metaquery, etc.). The scripts perform the expected OSS operations (open metaquery, do metaquery, upload). However, the package metadata declares no required environment variables or primary credential even though the workflow necessarily requires Alibaba Cloud credentials or configured aliyun CLI credentials; that omission is inconsistent and worth calling out.
Instruction Scope: noteSKILL.md confines instructions to OSS-related operations (aliyun CLI, ossutil, Python scripts). It explicitly forbids echoing AK/SK and instructs enabling/disabling CLI AI-mode and using a fixed user-agent. This scope is appropriate for the stated purpose. One concerning instruction: the guide tells the user to run a remote installer with `curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash`, which executes a remote script and is higher-risk than installing from a packaged repository; otherwise the instructions do not ask for unrelated system data.
Install Mechanism: concernThere is no formal install spec (instruction-only), but SKILL.md directs installing the Aliyun CLI via a remote setup script (curl | bash) and pip installing specific Python packages. Recommending execution of an arbitrary remote install script is a higher-risk practice. The Python dependencies (oss2, alibabacloud-credentials) are normal for OSS SDK usage but will execute code on the host. The skill includes local Python scripts (so code will be present and executed if you run them).
Credentials: concernOSS operations legitimately require Alibaba Cloud credentials (AK/SK or STS/RAM roles) or a configured aliyun CLI. The skill text discusses configuring credentials and mentions environment variables (ALIBABA_CLOUD_ACCESS_KEY_ID, etc.), but the skill metadata declares no required env vars or primary credential — an inconsistency. The scripts will read credentials from config or env, so the skill effectively needs privileged secrets even though they are not declared in the metadata.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and has no install-time persistent agent privileges. It only relies on local CLI configuration and runtime execution of the provided scripts when invoked, which is proportional for this type of integration.