Back to skill
Skillv0.0.2
ClawScan security
Alibabacloud Oss Manage Network Probe · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 8:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only helper for running aliyun ossutil probe and its requirements, commands, and permissions align with that purpose.
- Guidance
- This skill is coherent and appears to be what it claims: a runbook for using the Alibaba Cloud CLI and ossutil probe. Before installing or running it, confirm you understand: (1) the agent will call your local aliyun/ossutil binary and may upload/download temporary objects — grant only minimal RAM permissions (oss:GetObject, PutObject/DeleteObject only when needed) and prefer scoped ARNs, (2) never enter AK/SK into a conversation or let the agent echo secret values; use local CLI configuration or environment variables under your control, (3) the skill may write local log files (logOssProbe*.log); review these for sensitive info (presigned URLs should be redacted), and (4) if you want tighter safety, run probes from a test account or environment and confirm before any object creation or deletion. If the skill later includes code files, remote downloads, or unknown endpoints, re-evaluate — that would be a material change to risk.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions. All required actions (ossutil probe, presign, cp, rm, stat) are exactly what a network/bandwidth/symlink probe for Alibaba Cloud OSS would need; no unrelated credentials, binaries, or host accesses are requested in the registry metadata.
- Instruction Scope
- okSKILL.md stays within scope: it instructs the agent to run local aliyun/ossutil commands, perform local symlink checks, confirm parameters with the user, and avoid printing credentials. It explicitly forbids enumerating secrets and requires user confirmation before uploading/deleting objects. The agent will perform network I/O and local filesystem checks as expected for this scenario.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or bundled code. The included installation guidance references official Alibaba download hosts (alicdn.com) for manual installation — consistent and low-risk for an install guide.
- Credentials
- okThe skill requests no declared environment variables or credentials in the registry metadata. SKILL.md mentions common optional env vars (ALIBABA_CLOUD_PROFILE, HTTP(S)_PROXY) that are reasonable for CLI operation. It relies on the user's existing Alibaba CLI credentials rather than requesting new or unrelated secrets.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system-wide settings beyond recommending local CLI configuration commands; autonomous invocation remains at the platform default and is not combined with other concerning privileges.