ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alibabacloud Polardb Ai Assistant

v0.0.1-beta.1

Alibaba Cloud PolarDB Database AI Assistant. For PolarDB MySQL/PostgreSQL cluster management, performance diagnostics, parameter tuning, slow SQL analysis, b...

0· 26·0 current·0 all-time
byalibabacloud-skills-team@sdk-team
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, script, and docs all focus on invoking Alibaba Cloud DAS (GetYaoChiAgent/GetDasAgentSSE) for PolarDB diagnostics. Requiring the aliyun CLI, DAS plugin, and credentials is coherent with the claimed purpose.
Instruction Scope
Runtime instructions and the included script only call the aliyun CLI and parse SSE/JSON responses, which is in-scope. The skill will use whatever credentials the local aliyun CLI config or ALIBABA_CLOUD_* env vars provide — this is expected but means the skill can act with those privileges. There is a small internal inconsistency: some references/acceptance-criteria claim the DAS API uses PascalCase CLI commands (GetYaoChiAgent) and that kebab-case is incorrect, while the script and other docs use kebab-case plugin commands (get-yao-chi-agent). This mismatch is likely benign but reduces confidence in exact command/usage details.
Install Mechanism
The skill is instruction-only (no install spec), but it instructs users to install the aliyun CLI and DAS plugin and provides curl|bash and wget download commands from aliyuncli.alicdn.com (official vendor CDN). Downloading and running vendor installers is common but inherently higher-risk than pure documentation — verify the URL and vendor before running installer commands.
Credentials
No unrelated credentials are requested by the skill. The docs correctly explain that the skill relies on the standard aliyun CLI configuration or ALIBABA_CLOUD_* env vars (AK/SK, STS token, ECS role, etc.), which is proportional to a cloud-management assistant. Users should be aware the skill will act with whatever permissions those credentials grant.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges or modify other skills. It instructs installing the CLI/plugin (normal for cloud tools) but does not itself write credentials or change unrelated agent settings.
What to consider before installing
This skill appears to do what it says: it calls Alibaba Cloud's DAS APIs via the aliyun CLI to diagnose PolarDB. Before installing or running it: 1) verify you trust the aliyun CLI download URLs (aliyuncli.alicdn.com) and the DAS plugin; avoid running curl|bash from unknown sources; 2) run the tool with a least-privilege RAM user or STS token (do not use root or broad admin keys); 3) review and confirm any command parameters and outputs before the script runs (the SKILL.md emphasizes explicit confirmation); 4) note the skill will use whatever credentials are configured in your environment (~/.aliyun/config.json or ALIBABA_CLOUD_* env vars), so ensure those credentials have only the permissions you intend to grant. Finally, because the package has a small internal docs/scripts inconsistency about exact CLI invocation, test in a safe account or with read-only credentials first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f3hxkyepbsk9tqqkrj63xh58454k4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments