Back to skill
Skillv0.0.1
ClawScan security
Alibabacloud Sls Index Config Management · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 2:02 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only Alibaba Cloud SLS index configuration helper that consistently uses the aliyun CLI and asks for no unrelated credentials or installs; its requirements and runtime instructions align with the stated purpose.
- Guidance
- This skill is coherent and uses only the aliyun CLI to manage SLS index configs. Before installing: (1) ensure you have aliyun CLI 3.3.8+ installed and understand the skill will run CLI commands in your environment; (2) confirm your Alibaba Cloud credentials are configured in the CLI (the skill will not ask for or print AK/SK); (3) review and apply least-privilege RAM policies (GetIndex for reads, add Create/Update/Delete only when needed); (4) be aware the skill may run `aliyun plugin update` or `plugin install` which downloads vendor plugins—if you prefer, install/update the CLI/plugins yourself outside the agent; (5) treat delete-index as destructive — grant explicit confirmation and test in a non-production project if uncertain.
Review Dimensions
- Purpose & Capability
- okThe name/description (SLS index config management) matches the runtime instructions: everything centers on using the aliyun CLI to get/create/update/delete SLS indexes, generate index configs from samples, and optimize configs. There are no unrelated credential requests, binaries, or config paths.
- Instruction Scope
- noteThe SKILL.md instructs the agent to run aliyun CLI commands, enable and later disable the CLI's AI-mode, capture get-index output to files under /tmp, and follow explicit confirmation rules for destructive operations. These actions are within scope for index management. Note: it instructs updating/installing plugins (aliyun plugin update / install) which will perform network downloads—this is expected for using the CLI but is a network-affecting action the user should be aware of.
- Install Mechanism
- okThis is instruction-only (no install spec or code). The included docs suggest installing aliyun CLI from official Alibaba CDN links (aliyuncli.alicdn.com) or Homebrew. No arbitrary third-party download URLs or archive extracts from unknown hosts are present in the skill files.
- Credentials
- okThe skill declares no required env vars or credentials. It correctly requires the user's aliyun CLI credentials to be configured and explicitly forbids reading or echoing AK/SK. Optional doc references mention an ALIBABA_CLOUD_LOG_ENDPOINT for custom endpoints, which is proportional and optional.
- Persistence & Privilege
- okThe skill is not always-enabled (always: false) and does not request elevated platform persistence. It relies on running the existing aliyun CLI in the user's environment; it instructs disabling CLI AI-mode at session end. Autonomous invocation is allowed (platform default) but not combined with other red flags.