Alibabacloud Governance Evaluation Report
v0.0.1Alibaba Cloud Governance Center evaluation report skill. Use for querying governance maturity check results, generating structured risk reports, and account...
⭐ 0· 0·0 current·0 all-time
byalibabacloud-skills-team@sdk-team
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the implementation: the Python script calls the Aliyun CLI (aliyun governance ...) to retrieve metadata, results, and metric details and produces JSON for the agent. No unrelated services, binaries, or credentials are requested by the skill itself; the required permissions (governance:ListEvaluationMetadata, ListEvaluationResults, ListEvaluationMetricDetails) are exactly what the described functionality needs.
Instruction Scope
SKILL.md correctly documents running the Aliyun CLI and the Python script and includes a strong rule: confirm user parameters before executing commands. The script itself calls the CLI via subprocess.run and will read/write a local cache (~/.governance_cache). Also the instructions require running `aliyun configure set --auto-plugin-install true`, which enables automatic plugin installation in the CLI (a side effect that causes the CLI to download plugins at runtime). These behaviors are coherent with the skill's purpose but are side effects you should be aware of.
Install Mechanism
No install spec is present (instruction-only plus a script). That is lower risk than arbitrary remote installs. The CLI is expected and the README points to official Aliyun CLI release URLs for manual installation. No third-party or shortener URLs are used for installing the skill itself.
Credentials
The skill does not declare or request unrelated environment variables. The needed credentials are the standard Alibaba Cloud CLI credentials (AK/STStoken/RAM role/etc.) described in the docs, which are appropriate and proportional to querying Governance Center. Note: the skill will use whatever credentials the CLI is configured with (including env vars or ~/.aliyun/config.json), so ensure least-privilege (AliyunGovernanceReadOnlyAccess) and avoid using root credentials.
Persistence & Privilege
always:false (no forced permanent inclusion). The script creates and uses a cache directory in the user's home (~/.governance_cache) and may remove cached JSON files when --refresh is used. This is reasonable for performance but is persistent state written to the user's home—review and control that directory if needed. The skill does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says: it talks to Alibaba Cloud Governance Center via the Aliyun CLI and produces structured reports. Before installing or running it:
- Be prepared to authenticate the Aliyun CLI (AK/STSToken/RAM role). Use least-privilege credentials (AliyunGovernanceReadOnlyAccess) and do NOT use root account keys.
- Review and accept the side effects: the SKILL.md asks you to run `aliyun configure set --auto-plugin-install true` (this allows the CLI to download plugins) and the script will create a cache directory at ~/.governance_cache. If you dislike automatic plugin installs, install the governance plugin manually instead.
- The agent will run the python script which invokes `aliyun governance ...` via subprocess; ensure you confirm any profile/metric IDs/filters before the agent executes commands (the skill instructs confirmation, but the agent may run autonomously depending on your agent settings).
- Inspect the cache directory after first run and consider file permissions (cache contains API responses). If you need higher assurance, run the Python script locally yourself to observe behavior before allowing the agent to use the skill.
Confidence is medium because the package has no published homepage/author metadata; exercise usual caution with unknown sources even when functionality is coherent.Like a lobster shell, security has layers — review code before you run it.
latestvk974pmt3j8gfck1rqwr0z8ndvh84hdn1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.