Alibabacloud Yike Storyboard
v0.0.1Yike Storyboard Creation Skill - Complete AI video creation workflow from novel/script to storyboard via conversational interface. Use this skill when users...
⭐ 0· 45·0 current·0 all-time
byalibabacloud-skills-team@sdk-team
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's name/description (Yike Storyboard via Alibaba Cloud ICE) matches the commands and RAM permissions requested. However the registry metadata lists no required binaries or environment variables while SKILL.md explicitly requires the aliyun CLI (>=3.3.1), the ICE plugin, and valid Alibaba Cloud credentials — a minor metadata omission but noteworthy.
Instruction Scope
SKILL.md instructs the agent and user to verify CLI version, install the ICE plugin, confirm parameters, run aliyun ice create-yike-asset-upload, upload via OSS, and poll job status. The instructions reference only relevant files/commands and require reading the user-supplied text file (head -c 1000) for analysis, which is appropriate for the task.
Install Mechanism
No install spec is provided (instruction-only) and the only executable file is a bash upload script that calls the aliyun CLI and ossutil. There are no downloads from unknown hosts or archive extracts in the skill bundle. Install risk is low, assuming users only run the provided commands and have official aliyun/oss tools installed from trusted sources.
Credentials
The skill legitimately requires Alibaba Cloud credentials (AK/SK, STS, or an ECS RAM role) to call ICE and upload to OSS; SKILL.md explains this and requests minimum ICE permissions. The metadata does not declare these credentials or primaryEnv, which is inconsistent. The skill uses STS temporary credentials returned by the service (expected), but the user must supply/manage sensitive credentials outside the skill.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not modify other skills or system-wide configs, and the included script performs a one-time upload flow. No excessive privileges or always-on behavior detected.
Assessment
This skill appears to do what it says: it uses the Alibaba Cloud CLI (ICE) to request STS upload credentials, uploads the user's text file to OSS, then submits and polls a storyboard job. Before installing or running it:
- Expect to provide Alibaba Cloud credentials or use an ECS RAM role; prefer temporary STS tokens or a RAM user with the minimal ICE permissions listed (ice:CreateYikeAssetUpload, ice:SubmitYikeStoryboardJob, ice:GetYikeStoryboardJob). Do not paste long-lived root credentials into chat.
- The registry metadata omits declaring the required aliyun CLI and plugin; verify you have aliyun CLI >=3.3.1 and the ice plugin from official sources before running.
- Inspect scripts (scripts/upload_to_oss.sh) before execution; the script includes file type/size checks and prevents basic path traversal, but parsing fallbacks (grep/sed) may be brittle. Run in a controlled environment.
- Follow principle of least privilege: create a dedicated RAM user/role with exactly the permissions shown and prefer STS tokens. Restrict ~/.aliyun/config.json permissions and rotate keys regularly.
If you don't control the Alibaba Cloud account or cannot vet credentials/permissions, do not run this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk9771bekn11gkd2c1dxzpnrhcd841a09
License
MIT-0
Free to use, modify, and redistribute. No attribution required.