Alibabacloud Sdk Client Initialization For Golang

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Go SDK setup guide with normal cloud-credential examples, but users should handle keys and debug logs carefully.

Safe to install as documentation. Before using the examples, prefer least-privilege RAM roles or temporary credentials where possible, keep access keys out of code and logs, rotate exposed keys, and avoid enabling DEBUG logging in production or sharing unredacted debug output.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill demonstrates loading long-lived Alibaba Cloud access keys directly from environment variables without any warning about secure handling, rotation, or safer alternatives such as RAM roles/STS. In a credential-initialization skill, this omission is materially risky because users may copy the pattern into production and normalize insecure secret management practices.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill recommends enabling SDK debug logging for all requests but does not warn that request logs may include sensitive metadata, headers, identifiers, or even credential-bearing material depending on SDK behavior. Because this skill is specifically about client initialization, users are likely to enable this in real environments, increasing the chance of accidental secret exposure through logs.

VirusTotal

42/42 vendors flagged this skill as clean.

View on VirusTotal