Alibabacloud Sase Pa Network Diagnosis
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: alibabacloud-sase-pa-network-diagnosis Version: 0.0.1-beta.1 The skill bundle facilitates Alibaba Cloud SASE network diagnostics but is classified as suspicious due to the inclusion of high-risk execution patterns. Specifically, SKILL.md and references/cli-installation-guide.md instruct the agent to execute remote scripts via 'curl|bash' and 'wget|sh' from aliyuncli.alicdn.com for environment setup. It also requires enabling automatic plugin installation ('auto-plugin-install true'), which represents a significant attack surface (RCE risk). While these actions are plausibly needed for the stated purpose and the bundle includes strong security instructions against credential exposure, the reliance on unverified remote execution qualifies as a high-risk vulnerability under the analysis criteria.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the active Aliyun profile is overprivileged, the agent may use broader cloud authority than needed while performing diagnosis.
The skill depends on an existing Alibaba Cloud identity to call SASE APIs, which is expected for the purpose but gives the agent access through the user's cloud account.
Use an existing Aliyun CLI credential profile and verify it with `aliyun configure list`.
Use a dedicated RAM user/profile with only the listed `csas:ListUserDevices`, `csas:CreatePADiagnosisTask`, and `csas:GetPADiagnosisTask` permissions, and do not paste AK/SK secrets into chat.
Running the workflow can create diagnosis tasks and retrieve SASE device, network-link, DNS, and policy information.
The documented workflow includes cloud API calls that query user devices and create diagnosis tasks; these actions are purpose-aligned but are still real account operations.
`ListUserDevices` ... `CreatePADiagnosisTask` ... `GetPADiagnosisTask`
Review and confirm target host, port, protocol, username/device identifiers, and profile before allowing the commands to run; use `--cli-dry-run` where appropriate.
Your local Aliyun CLI installation or plugins may be installed or updated, and the CLI may continue auto-installing plugins afterward.
The setup guidance can execute a remote installer and enable automatic Aliyun CLI plugin installation/updates. This is relevant to the skill's purpose, but it changes local tooling and pulls code from a remote source.
run `curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash` ... [MUST] run `aliyun configure set --auto-plugin-install true` ... `aliyun plugin update`
Run installation/update commands manually after verifying the source, and consider reverting persistent CLI settings if you do not want automatic plugin installation enabled.