Skillv0.0.1-beta.1

ClawScan security

Alibabacloud Pai Eas Service Deploy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 23, 2026, 6:50 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (running many Aliyun CLI calls that create cloud resources and require broad Alibaba Cloud credentials) matches its stated purpose, but there are multiple incoherences and risky instructions (missing declared credentials, bundled scripts despite a ban on scripts, and mandatory autonomous creates without user confirmation) that warrant caution.
Guidance: Before installing: understand this skill will call Aliyun CLI commands that need valid Alibaba Cloud credentials and RAM permissions to list resources and create services (these are billable actions). The package metadata does not declare required credentials even though SKILL.md expects them — confirm how credentials will be supplied (prefer an ECS RAM role or a least-privilege RAM user) and avoid giving root keys. Audit the included scripts (scripts/*.sh) since they exist despite instructions saying not to run scripts. If you install, test in a non-production account with strict billing alerts and least-privilege IAM policies, and consider modifying the workflow to require explicit user confirmation before any create-service call. If you need more assurance, ask the publisher to (1) declare required env vars/primary credential in registry metadata, (2) remove or explain the purpose of bundled scripts, and (3) change the default to prompt before creating resources.

Review Dimensions

Purpose & Capability: concernThe skill's name/description (PAI‑EAS service deploy) aligns with the actions in SKILL.md (list images, describe machine spec, create-service, describe-service-endpoints). However the manifest declares no required environment variables or primary credential even though every runtime step uses the Aliyun CLI and requires authenticated access. That mismatch (no declared ALIBABA_CLOUD_* or profile requirement) is inconsistent and should be justified.
Instruction Scope: concernSKILL.md instructs the agent to run extensive account-scoped operations (aiworkspace list-images, eas describe-machine-spec, eas create-service, vpc/ecs/nlb queries, ossutil) and to create services. It also mandates autonomous execution ("Do NOT ask 'should I proceed?' Execute directly"), auto-switching instance types (silently change CPU→GPU for vLLM/SGLang), and to continue on many failures — behavior that can create billable cloud resources without explicit user confirmation. Those instructions go beyond simple guidance and give the agent broad discretion to act on the user's cloud account.
Install Mechanism: noteThere is no install spec (instruction-only), which is lower risk. However the package contains three shell scripts (scripts/*.sh) while SKILL.md explicitly forbids writing/running bash scripts and instructs to execute CLI commands directly. The coexistence of shipped scripts and a ban on using scripts is an internal inconsistency (likely benign but worth auditing).
Credentials: concernSKILL.md lists required_permissions (many Aliyun eas, aiworkspace, vpc, nlb, ecs, aiworkspace scopes) indicating need for significant IAM privileges, yet the registry metadata declares no required env vars or primary credential. The skill implicitly needs ALIBABA_CLOUD_ACCESS_KEY_ID/SECRET or an ECS RAM role to run. That omission is disproportionate and confusing: the skill requires broad cloud permissions but doesn't declare or surface how credentials will be provided or limited.
Persistence & Privilege: concernThe skill is not marked always:true, which is appropriate, but SKILL.md explicitly instructs autonomous execution without user confirmation and to proceed despite many errors. Combined with the broad required permissions and create-service operations, that autonomy increases blast radius (creates or modifies billable/costly resources). This combination should be treated cautiously even though autonomous invocation alone is normal.