ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alibabacloud Sdk Client Initialization For Python

v0.0.1-beta

Initialize and manage Alibaba Cloud SDK clients in Python. Covers singleton pattern, thread safety, endpoint vs region configuration, VPC endpoints, async mo...

0· 101·0 current·0 all-time
by@yndu13

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yndu13/alibabacloud-sdk-client-initialization-for-python.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Alibabacloud Sdk Client Initialization For Python" (yndu13/alibabacloud-sdk-client-initialization-for-python) from ClawHub.
Skill page: https://clawhub.ai/yndu13/alibabacloud-sdk-client-initialization-for-python
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install alibabacloud-sdk-client-initialization-for-python

ClawHub CLI

Package manager switcher

npx clawhub@latest install alibabacloud-sdk-client-initialization-for-python
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name and description (Alibaba Cloud SDK client initialization) match the instructions in SKILL.md. However, the skill metadata declares no required environment variables or credentials even though the provided examples directly read ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET from the environment. That metadata omission is an incoherence — if the skill is intended to run code that creates SDK clients, it legitimately needs credentials and should declare them.
!
Instruction Scope
SKILL.md includes runnable Python code that reads os.environ['ALIBABA_CLOUD_ACCESS_KEY_ID'] and os.environ['ALIBABA_CLOUD_ACCESS_KEY_SECRET'] (and also shows os.environ.get in another example). Reading these secrets is directly relevant to initializing SDK clients, but the instructions do not handle missing credentials safely (one example uses direct indexing which raises if unset). The doc does not instruct the agent to access unrelated files, but it does implicitly require access to sensitive environment variables not advertised in the metadata.
Install Mechanism
This is an instruction-only skill with no install spec or code files (lowest install risk). The SKILL.md recommends installing packages via pip (alibabacloud-tea-openapi and product SDKs). Pip installs from PyPI are common and expected for a Python SDK guide; they carry moderate supply-chain risk but are proportional to the stated purpose.
!
Credentials
The only sensitive items referenced are standard Alibaba Cloud access keys, which are proportionate to SDK initialization. The problem is the metadata declares no required env vars or primary credential while the instructions clearly rely on them. This mismatch raises the risk that credentials could be requested or accessed without clear user expectation. Also one code example uses os.environ[...] (KeyError risk) rather than safe retrieval patterns.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install actions that persist code on disk. Autonomous invocation is allowed (platform default) but that alone is not a problem; combined with the undocumented credential access it does increase potential blast radius and should be considered by the user.
What to consider before installing
This skill appears to be a legitimate SDK initialization guide, but it references ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET inside the examples while the skill metadata lists no required credentials — that's an inconsistency you should resolve before use. Before installing or running code from this skill: (1) ask the publisher to declare required env vars/credentials explicitly; (2) never provide long-lived root credentials — use least-privilege RAM users or instance/RAM roles; (3) avoid pasting secrets into interactive chats or allowing the agent to fetch them without explicit consent; (4) if you run the provided code, test in an isolated environment with disposable credentials; and (5) prefer the examples that use safe retrieval (os.environ.get or explicit config) and handle missing credentials rather than ones that will raise and potentially leak debug info. If the skill will be allowed to run autonomously, require explicit user confirmation before it can access or request credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk978zp1ragb0bg282skxz6jz4583kzda
101downloads
0stars
1versions
Updated 1mo ago
v0.0.1-beta
MIT-0
@yndu13
latest
Download

Client Initialization Best Practices (Python)

Core Rules

  • Client is thread-safe — safe to share across threads without additional locking.
  • Use singleton pattern — do NOT create new client instances per request. Frequent client creation wastes resources.
  • Prefer explicit endpoint over region-based endpoint resolution.

Recommended Client Creation

import os
from threading import Lock
from alibabacloud_tea_openapi.models import Config
from alibabacloud_ecs20140526.client import Client as EcsClient

_client = None
_lock = Lock()

def get_ecs_client() -> EcsClient:
    global _client
    if _client is None:
        with _lock:
            if _client is None:
                config = Config(
                    access_key_id=os.environ['ALIBABA_CLOUD_ACCESS_KEY_ID'],
                    access_key_secret=os.environ['ALIBABA_CLOUD_ACCESS_KEY_SECRET'],
                    endpoint='ecs.cn-hangzhou.aliyuncs.com',
                )
                _client = EcsClient(config)
    return _client

Endpoint Configuration

Priority: explicit endpoint > region-based resolution via region_id.

# Preferred: explicit endpoint
config = Config(endpoint='ecs.cn-hangzhou.aliyuncs.com')

# Alternative: SDK resolves endpoint from region
config = Config(region_id='cn-hangzhou')

VPC Endpoints

Use VPC endpoints when running inside Alibaba Cloud VPC:

config = Config(endpoint='ecs-vpc.cn-hangzhou.aliyuncs.com')

File Upload APIs (Advance)

Set both region_id and endpoint to the same region. Optionally set open_platform_endpoint and endpoint_type for VPC:

config = Config(
    region_id='cn-shanghai',
    endpoint='objectdet.cn-shanghai.aliyuncs.com',
    open_platform_endpoint='openplatform-vpc.cn-shanghai.aliyuncs.com',
    endpoint_type='internal',
)

SDK Components

ComponentInstall Command
Core SDKpip install alibabacloud-tea-openapi
Product SDKpip install alibabacloud_ecs20140526 (example)

Async Mode

Python SDK supports async calls via _async method suffix:

import asyncio
from alibabacloud_ecs20140526.client import Client
from alibabacloud_ecs20140526.models import DescribeImagesRequest
from alibabacloud_tea_openapi.models import Config

async def main():
    config = Config(
        access_key_id=os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_ID'),
        access_key_secret=os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_SECRET'),
        endpoint='ecs-cn-hangzhou.aliyuncs.com',
    )
    client = Client(config)
    request = DescribeImagesRequest(region_id='cn-hangzhou')
    response = await client.describe_images_async(request)
    return response

asyncio.run(main())

Comments

Loading comments...