Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Alibabacloud Analyticdb Postgresql Ai Coaching Best Practice
v0.0.1Implement AI Coaching best practices on AnalyticDB for PostgreSQL (ADBPG): Leverage Supabase projects (training data management) + ADBPG instances with vecto...
⭐ 0· 88·0 current·0 all-time
byalibabacloud-skills-team@sdk-team
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description align with the instructions: the SKILL focuses on creating Supabase projects, ADBPG instances, vector DBs and RAG workflows and the docs request gpdb and VPC operations consistent with that purpose.
Instruction Scope
The SKILL.md and referenced docs instruct the agent to run many aliyun CLI commands (create DB instances, NAT/EIP, init vector DB, upload docs, ChatWithKnowledgeBase). However there are internal contradictions across the included reference files about exact CLI parameter syntax (examples using PascalCase/--RegionId vs. kebab-case/--biz-region-id vs. --region). Those conflicting examples could cause the agent to issue incorrect commands. The instructions also ask to set aliyun CLI to --auto-plugin-install true (changes local CLI behavior) which may auto-fetch plugins — this is a security-relevant side-effect. The SKILL otherwise avoids asking for raw AK/SK in-session and explicitly instructs not to print secrets.
Install Mechanism
This is instruction-only (no install spec, no code files) so nothing is written to disk by the skill itself. The included installation guide points users to official Aliyun CLI downloads (alicdn) which is reasonable. The only noteworthy install-related action the skill tells users to perform is enabling CLI auto-plugin-install; that changes local behavior and could cause automatic remote installs if triggered.
Credentials
The skill metadata declares no required env vars, but the runtime instructions require valid Alibaba Cloud credentials and recommend high-privilege system policies (AliyunGPDBFullAccess, AliyunVPCFullAccess). Those broad permissions are consistent with 'create everything' scenario but are disproportionate if the user only wants limited operations. The docs do include a least-privilege custom policy example, but the recommended defaults are wide-ranging and can create significant blast radius if misused.
Persistence & Privilege
always:false and no code persistence; the skill does not request permanent agent-level privileges or modify other skills. However the instruction to enable aliyun CLI auto-plugin-install is a local configuration change that can alter how the CLI later pulls and installs plugins (a potential security consideration).
What to consider before installing
This skill appears to be what it claims (deploying Supabase + ADBPG vector DBs for RAG coaching) but the included documentation contradicts itself in important places and recommends broad cloud privileges. Before installing or running it: 1) Do not paste your AK/SK into chat; configure credentials locally and verify with aliyun configure list. 2) Double-check which CLI flags your installed aliyun version expects (run aliyun gpdb --help) because the docs give conflicting examples (--RegionId vs --biz-region-id vs --region). 3) Avoid enabling --auto-plugin-install unless you trust the environment and understand plugin sources; prefer manual plugin installs. 4) Grant least-privilege RAM policies where possible (use the provided custom policy template and scope to resources) and be aware of resource costs (NAT/GWs, EIPs, DB instances). 5) If you only need knowledge-base operations, restrict permissions to the smaller set listed in the docs. If you want, provide the specific command examples you plan to run and I can validate the correct parameter forms for your aliyun CLI version.Like a lobster shell, security has layers — review code before you run it.
latestvk976wema1h04gnwqj49s3akz5984kfb5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.