ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alibabacloud Kms Secret Manage

Alibaba Cloud KMS Secret Management Skill. Used for managing secrets in KMS, supporting create, delete, update, query operations, version management, and rot...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 8 · 0 current installs · 0 all-time installs
byalibabacloud-skills-team@sdk-team
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and the CLI/SDK examples align with an Alibaba Cloud KMS secret-management skill. However, the skill does not declare any primary credential or required env vars even though every actionable CLI/SDK call requires Alibaba Cloud credentials (AK/SK, STS token, or an ECS RAM role). This omission is an inconsistency: a KMS management skill legitimately needs cloud credentials and should declare them (or document expected credential sources) explicitly.
Instruction Scope
SKILL.md contains concrete CLI commands, SDK examples, and safety rules (e.g., do not print AK/SK, only execute GetSecretValue after explicit user confirmation). That scope is appropriate for secret management. Minor concerns: the documentation and examples show how to configure credentials (including command-line flags with AK/SK) and reference config files (~/.aliyun/config.json) and several environment variables (ALIBABA_CLOUD_*). Those references grant the agent implicit discretion to use credentials/config stored on the host unless the platform restricts that — the skill should explicitly state how credentials will be obtained and handled at runtime.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest installation risk. CLI install docs reference official Alibaba download hosts (aliyuncli.alicdn.com) which are expected for Aliyun CLI installation; no third-party or opaque downloads are present.
!
Credentials
The skill lists no required environment variables or primary credential, but the content explicitly references and relies on environment variables and credential configuration (ALIBABA_CLOUD_ACCESS_KEY_ID/SECRET, ALIBABA_CLOUD_REGION_ID, ALIBABA_CLOUD_* timeouts, and ~/.aliyun/config.json). That is a proportionality mismatch: the skill should declare the credentials it needs. Also the docs include command examples for setting AK/SK via CLI flags, which can encourage insecure handling of secrets if followed without caution.
Persistence & Privilege
always is false and there is no install-time persistence. The skill can be invoked autonomously (platform default), which is normal for skills; that combined with credential access is worth user attention but is not flagged by itself.
What to consider before installing
This skill appears to be a genuine Alibaba Cloud KMS secret-management guide, but it omits an explicit declaration of how credentials will be provided. Before installing or invoking it: 1) Confirm how your agent/runtime will supply Alibaba Cloud credentials (environment vars, ~/.aliyun/config.json, ECS RAM role, or explicit user input). 2) Never paste AK/SK into a conversational prompt; prefer ECS RAM roles or short-lived STS tokens. 3) Be cautious with commands that retrieve secret values — the skill documents a good safety rule (only retrieve after explicit confirmation); keep that workflow and run sensitive commands in a private, audited terminal. 4) If you do not want the agent to ever access secrets autonomously, disable autonomous invocation or require manual confirmation for all sensitive operations. 5) For least privilege, grant only the specific KMS permissions required (e.g., GetSecretValue for runtime retrieval) rather than broad wildcards. If you want higher confidence, ask the publisher to update the skill metadata to declare required credential sources (primaryEnv) and to explicitly forbid reading host credential/config files without user consent.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.0.2
Download zip
latestvk97f05ra9wjdt49m9exadvejn9840cng

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Alibaba Cloud KMS Secret Management

This Skill provides core functionality for Alibaba Cloud Key Management Service (KMS) secret management, supporting CRUD operations on secrets.

Scenario Description

KMS Secret Management service is used to securely store, manage, and access sensitive information, such as:

  • Database connection credentials
  • API keys
  • OAuth tokens
  • Certificate private keys
  • Other sensitive data requiring secure storage

Architecture: Alibaba Cloud KMS Service + Secret Management (Secrets Manager)

graph TB
    User[Application/User] --> KMS[KMS Secret Management]
    KMS --> Secret[Generic Secret]
    Secret --> V1[Version 1]
    Secret --> V2[Version 2]
    Secret --> VN[Version N]
    KMS --> Rotation[Rotation Secret]
    Rotation --> RDS[RDS Managed Secret]
    Rotation --> RAM[RAM Managed Secret]
    Rotation --> ECS[ECS Managed Secret]
    Rotation --> Redis[Redis Managed Secret]
    Rotation --> PolarDB[PolarDB Managed Secret]

Environment Setup

Dependency: Aliyun CLI. If command not found error occurs, refer to references/cli-installation-guide.md for installation.

Timeout Configuration

Set appropriate timeouts for CLI commands to avoid hanging:

# Set timeout environment variables (in seconds)
export ALIBABA_CLOUD_CONNECT_TIMEOUT=30
export ALIBABA_CLOUD_READ_TIMEOUT=30

Or use command-line flags:

aliyun kms <action> --connect-timeout 30 --read-timeout 30 ...

Recommended timeout values:

  • Connection timeout: 30 seconds
  • Read timeout: 30 seconds

Security Rules

  • Prohibited: Reading, printing, or displaying AK/SK values
  • Prohibited: Requiring users to directly input AK/SK in conversation
  • Sensitive Data Masking: Secret values returned by GetSecretValue are masked by default (e.g., ***), only output in plaintext when user explicitly requests

RAM Permission Requirements

Ensure the executing user has the following KMS permissions. For detailed policies, see references/ram-policies.md.

Minimum Permissions (Read-Only):

kms:DescribeSecret, kms:ListSecrets, kms:GetSecretValue, kms:ListSecretVersionIds, kms:GetSecretPolicy

Full Permissions (Read-Write):

kms:CreateSecret, kms:DeleteSecret, kms:UpdateSecret, kms:DescribeSecret, 
kms:ListSecrets, kms:GetSecretValue, kms:PutSecretValue, kms:ListSecretVersionIds,
kms:UpdateSecretVersionStage, kms:UpdateSecretRotationPolicy, kms:RotateSecret,
kms:RestoreSecret, kms:SetSecretPolicy, kms:GetSecretPolicy,
kms:ListKmsInstances, kms:ListKeys, kms:CreateKey

Core Workflows

1. Create Secret

Creating a secret requires obtaining the KMS instance ID and encryption key ID first, then executing the creation.

# Step 1: Get KMS Instance ID
aliyun kms ListKmsInstances --PageNumber 1 --PageSize 10 --region <region-id> --user-agent AlibabaCloud-Agent-Skills
# → Extract KmsInstances.KmsInstance[0].KmsInstanceId

# Step 2: Get Encryption Key ID
aliyun kms ListKeys --Filters '[{"Key":"KeySpec","Values":["Aliyun_AES_256"]},{"Key":"DKMSInstanceId","Values":["<instance-id>"]}]' --PageNumber 1 --PageSize 10 --region <region-id> --user-agent AlibabaCloud-Agent-Skills
# → Extract Keys.Key[0].KeyId

# Step 3: Create Secret (requires DKMSInstanceId and EncryptionKeyId)
aliyun kms CreateSecret --SecretName "<secret-name>" --SecretData "<secret-value>" --VersionId "<version-id>" --EncryptionKeyId "<key-id>" --DKMSInstanceId "<instance-id>" --region <region-id> --user-agent AlibabaCloud-Agent-Skills

2. List Secrets

aliyun kms ListSecrets --region <region-id> --user-agent AlibabaCloud-Agent-Skills

3. Get Secret Value

Security Policy:

  • If user does NOT explicitly request the secret value: Only provide the CLI command or Python code script. DO NOT execute.
  • If user explicitly requests to get/retrieve/show the secret value: Provide the command/script first, then execute after user confirms.

CLI Command:

aliyun kms GetSecretValue --SecretName "<secret-name>" --region <region-id> --user-agent AlibabaCloud-Agent-Skills

Python SDK Example:

from alibabacloud_tea_openapi.client import Client as OpenApiClient
from alibabacloud_tea_openapi import models as open_api_models
from alibabacloud_credentials.client import Client as CredentialClient
from alibabacloud_tea_util import models as util_models

credential = CredentialClient()
config = open_api_models.Config(credential=credential)
config.endpoint = 'kms.<region-id>.aliyuncs.com'
client = OpenApiClient(config)

params = open_api_models.Params(
    action='GetSecretValue',
    version='2016-01-20',
    protocol='HTTPS',
    method='POST',
    auth_type='AK',
    style='RPC',
    pathname='/',
    req_body_type='json',
    body_type='json'
)

body = {'SecretName': '<secret-name>'}
runtime = util_models.RuntimeOptions()
request = open_api_models.OpenApiRequest(body=body)
response = client.call_api(params, request, runtime)
print(response.body)

Note:

  • Only execute the retrieval after user explicitly confirms
  • The secret value contains sensitive information that should be handled with care
  • Always remind user to execute in a secure environment (private terminal, no screen sharing, no logging)

4. Delete Secret

Pre-check before deletion (Safety Requirement):

Before force deleting a secret, always verify its existence and check if it's still in use:

# Step 1: Describe the secret to verify existence and check metadata
aliyun kms DescribeSecret --SecretName "<secret-name>" --region <region-id> --user-agent AlibabaCloud-Agent-Skills
# → Check SecretName, CreateTime, and other metadata to confirm this is the correct secret

If DescribeSecret returns error (secret not found):

  • Stop and inform user: "Secret does not exist, no deletion needed"

If DescribeSecret succeeds:

  • Review the secret metadata
  • Confirm with user before proceeding with force deletion
# Step 2: Force delete (immediate deletion, cannot be recovered)
aliyun kms DeleteSecret --SecretName "<secret-name>" --ForceDeleteWithoutRecovery true --region <region-id> --user-agent AlibabaCloud-Agent-Skills

Idempotency: If Forbidden.ResourceNotFound error is returned, it means the secret does not exist, treat as deletion successful and continue with subsequent operations.

5. Update Secret Value

aliyun kms PutSecretValue --SecretName "<secret-name>" --SecretData "<new-secret-value>" --VersionId "<new-version-id>" --region <region-id> --user-agent AlibabaCloud-Agent-Skills

6. Describe Secret

aliyun kms DescribeSecret --SecretName "<secret-name>" --region <region-id> --user-agent AlibabaCloud-Agent-Skills

7. List Secret Versions

aliyun kms ListSecretVersionIds --SecretName "<secret-name>" --IncludeDeprecated true --region <region-id> --user-agent AlibabaCloud-Agent-Skills

8. Configure Rotation Policy

aliyun kms UpdateSecretRotationPolicy --SecretName "<secret-name>" --EnableAutomaticRotation true --RotationInterval 7d --region <region-id> --user-agent AlibabaCloud-Agent-Skills

9. Restore Deleted Secret

aliyun kms RestoreSecret --SecretName "<secret-name>" --region <region-id> --user-agent AlibabaCloud-Agent-Skills

Idempotency: If Rejected.ResourceInUse error is returned, it means the secret has been restored or was not deleted, treat as restore successful and continue with subsequent operations.

Advanced Features

For managed credentials and other advanced features, see references/managed-credentials.md.

Reference Links

DocumentDescription
references/related-apis.mdAPI detailed description
references/ram-policies.mdRAM permission policies
references/managed-credentials.mdManaged credentials guide

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…