Alibabacloud Pai Rec Diagnosis
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Alibaba Cloud PAI-Rec diagnostic skill, but it uses Alibaba Cloud credentials and changes local Aliyun CLI/plugin settings, so it should be used with least-privilege credentials.
Install only if you need Alibaba Cloud PAI-Rec diagnosis. Use a scoped read-only RAM profile, do not paste access keys into chat, review CLI/plugin setup before running it, and verify AI-mode/auto-plugin settings after the session.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can query resources in the active Alibaba Cloud account within whatever permissions that profile has.
The skill requires an existing Alibaba Cloud credential profile to run diagnostic commands, but it also explicitly forbids reading, echoing, or asking for AK/SK values.
**Pre-check: Alibaba Cloud Credentials Required** ... **ONLY** use `aliyun configure list` to check credential status
Use a temporary or RAM role/profile limited to the specific EAS service and PAI-Rec instance; avoid root or broad admin credentials.
Installing or updating CLI components may affect future Aliyun CLI behavior outside this skill.
The setup path can execute a downloaded installer and update/install Aliyun CLI plugins. This is disclosed and relevant to the skill, but it changes local tooling and depends on provider-hosted code.
run `curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash` ... `aliyun configure set --auto-plugin-install true` ... `aliyun plugin update`
Run setup steps manually, verify the source, prefer package-manager installation when available, and consider disabling auto-plugin-install after use if you do not want persistent automatic plugin installation.
AI-mode could remain enabled in the local Aliyun CLI after an abnormal stop.
The skill intentionally changes a local Aliyun CLI mode and includes a cleanup requirement. The behavior is disclosed, but the state could remain enabled if execution is interrupted.
`aliyun configure ai-mode enable` ... **[MUST] Disable AI-Mode at EVERY exit point** ... `aliyun configure ai-mode disable`
After using the skill, run or verify `aliyun configure ai-mode disable`, especially if the workflow errors or is cancelled.
Logs or configs may reveal service names, endpoints, environment variables, request traces, or business logic.
The diagnostic workflow brings service logs and engine configuration content into the agent context. That is expected for diagnosis, but these materials can contain sensitive operational details.
`describe-service-log` ... Trace request processing by `request_id` ... `ConfigValue`: The actual configuration content (JSON/YAML)
Limit log queries to the needed request or time window, redact secrets or customer data before sharing outputs, and avoid pasting broad logs into unrelated sessions.
Running these commands with sufficient privileges can grant a user or role new read access to EAS and PAI-Rec resources.
The reference documentation includes IAM policy creation and attachment commands. They are user-directed permission setup examples, but they mutate cloud account permissions.
`aliyun ram create-policy` ... `--policy-name PAIRecDiagnosisReadOnly` ... `aliyun ram attach-policy-to-user`
Prefer the resource-specific policy shown in the document, have an administrator review any RAM changes, and do not let the agent apply IAM changes without explicit approval.