Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Alibabacloud Sdk Client Initialization For Golang
v0.0.1-betaInitialize and manage Alibaba Cloud SDK clients in Go. Covers sync.Once singleton, goroutine safety, endpoint vs region configuration, VPC endpoints, and deb...
⭐ 0· 74·0 current·0 all-time
byalibabacloud-skills-team@sdk-team
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and the SKILL.md are consistent: the document provides Go examples and best practices for initializing Alibaba Cloud SDK clients (singleton pattern, endpoints, VPC endpoints, debug). However the runtime instructions rely on environment credentials (ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET) even though the skill metadata lists no required env or primary credential, which is an omission/incoherence.
Instruction Scope
The SKILL.md contains concrete code that calls os.Getenv(...) for sensitive credentials and suggests setting DEBUG=tea to log all requests. The manifest did not declare those environment requirements. The instructions also recommend panicking on client construction errors (which may crash a process) and enabling debug logging that could expose sensitive headers/payloads — these behaviors expand the security surface beyond what the manifest communicates.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to be written or executed by an installer, which is the lowest-risk install mechanism.
Credentials
Although asking for Alibaba Cloud credentials is reasonable for an SDK client, the skill manifest declares no required environment variables or primary credential while the code examples explicitly read ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET (and references DEBUG). This mismatch (undeclared sensitive env access) is disproportionate and should be fixed or justified.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and is instruction-only. It does not request persistent presence or elevated agent privileges.
What to consider before installing
This skill appears to do what it says (Go best practices for Alibaba Cloud clients) but it uses sensitive environment variables in its examples while the manifest declares none. Before installing or using it: (1) Confirm where and how your ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET will be provided and stored; prefer instance/RAM roles or short-lived STS tokens over long-lived keys. (2) Avoid enabling DEBUG=tea in production—it can log request contents and headers with secrets. (3) If you plan to allow the agent to run these instructions, ensure the agent process/enclave cannot exfiltrate environment variables to untrusted endpoints. (4) Ask the skill author to declare required env vars (and primary credential) in the manifest or to show vetted code; treat the current omission as a red flag. If you need higher assurance, request the actual source code or a signed, published reference rather than instruction-only content.Like a lobster shell, security has layers — review code before you run it.
latestvk975rwhamyy9we47c7jev38z1d83m4ya
License
MIT-0
Free to use, modify, and redistribute. No attribution required.