Alibabacloud Tablestore Agent Storage
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is aligned with Alibaba Cloud Tablestore knowledge-base management, but it can use cloud credentials, may persist secrets, can automatically create paid cloud resources, and can set up ongoing local-file sync.
Install only if you are comfortable granting Alibaba Cloud access. Before use, confirm any paid resource creation, use least-privilege temporary credentials, do not save AccessKey secrets in the generated config, and carefully review any generated sync script or scheduled task so only intended files are uploaded.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Alibaba Cloud keys or temporary tokens could be written to local disk, increasing the impact if the project directory is shared, backed up, or exposed.
The skill tells the agent to retrieve Alibaba Cloud access secrets and security tokens through the default credential chain and suggests saving those credentials into a persisted config file.
access_key_secret = credential.get_access_key_secret() ... sts_token = credential.get_security_token() ... # now you can save the credentials into config
Use temporary least-privilege credentials, avoid persisting AccessKey Secret or STS tokens in the skill config, and store only non-secret endpoint and instance settings unless the user explicitly approves secure storage.
The agent could create cloud resources that change the user's account state and may incur charges.
The documented workflow can create a paid Alibaba Cloud Tablestore instance through a CLI command when an instance is missing.
Create a high-performance instance under the CU model (pay-as-you-go) ... Auto-Create Instance Workflow ... tablestore_cli create_instance -n <instance_name> -r <region_id>
Require an explicit user confirmation that names the region, instance name, billing model, and expected cost impact before creating any cloud resource.
Private local files could be repeatedly indexed into a cloud knowledge base and later retrieved or reused beyond the original task.
The skill can create persistent automation that uploads or indexes local directory contents into a cloud knowledge base, but the visible artifacts do not clearly define exclusions, retention, review, or disable controls.
Set up local directory sync scripts and scheduled tasks for automatic knowledge base updates
Only sync a narrowly selected directory, add explicit exclusions for secrets and private files, review the generated scheduled task, and document how to pause or remove the sync.
Running remote install scripts or downloaded binaries gives the installer code local execution authority.
The installation guide includes running a remote installer script, which is a common but sensitive setup pattern for CLI tooling.
/bin/bash -c "$(curl -fsSL https://aliyuncli.alicdn.com/install.sh)"
Prefer official package managers or verified downloads where possible, inspect installer sources, and avoid running remote scripts with elevated privileges unless necessary.