Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Alicloud Compute Fc Serverless Devs
v1.0.3Alibaba Cloud Function Compute (FC 3.0) skill for installing and using Serverless Devs to create, deploy, invoke, and remove a Python function. Use when user...
⭐ 0· 1.1k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the instructions: the SKILL.md walks through installing Serverless Devs, configuring Alibaba Cloud credentials, initializing, deploying, invoking, and removing FC (Function Compute) functions. Asking for Node/npm and cloud AccessKeyID/AccessKeySecret is appropriate for this purpose.
Instruction Scope
Instructions only reference expected CLI operations and local paths (creating s.yaml, code/, and an output/ evidence directory). They instruct the user to configure credentials and to save evidence under output/. There are no unexpected external endpoints or instructions to read unrelated system files. However, the doc recommends using sudo for installing and running some commands (which can cause credential/config writes as root) and suggests environment-variable patterns for secrets — both are sensitive actions that should be handled carefully.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code. The instructions recommend installing Serverless Devs via npm (or running via npx). No remote arbitrary archive downloads or opaque installers are embedded in the skill itself.
Credentials
The SKILL.md clearly requires Alibaba Cloud credentials (AccountID, AccessKeyID, AccessKeySecret) and suggests environment-variable usage, but the skill metadata declares no required environment variables or primary credential. The documentation also uses inconsistent env-var names in places (examples include ALIBABA_CLOUD_ACCESS_KEY_ID, ALIBABA_CLOUD_ACCESS_KEY_SECRET and later ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET), which is a coherence issue and increases the chance of user error or accidental credential exposure.
Persistence & Privilege
The skill is not always-on, is user-invocable, and does not request system-wide config paths in its metadata. It does instruct the user to run the Serverless Devs CLI which will store credentials/config locally (expected behavior), but the skill itself does not request permanent elevated privileges.
What to consider before installing
This skill appears to be a legitimate how-to for using Serverless Devs with Alibaba Cloud, but take these precautions before installing/running anything:
- Expect to provide Alibaba Cloud AccessKeyID/AccessKeySecret (AK/SK) and AccountID for deploy operations; the registry metadata does not list them explicitly — that omission is likely an authoring error.
- Do not paste secrets into chat. Use temporary or least-privilege credentials for testing, and rotate them after use.
- Prefer npx (non-global install) or a local install over running the CLI as root (avoid sudo when possible), since running with sudo may store credentials/config under root and increase risk.
- Be aware of the inconsistent env-var names in the docs (ALIBABA_CLOUD_* vs ALICLOUD_*). Confirm the exact variable names the CLI expects before exporting secrets.
- Run the suggested minimal read-only connectivity test first (as the SKILL.md recommends) to confirm permissions and region, and verify where the CLI stores its credential files on disk.
- If you need stronger assurance, request the author to update the skill metadata to declare required environment variables and to remove the sudo recommendations or explain why sudo is necessary.Like a lobster shell, security has layers — review code before you run it.
latestvk97cj4wpy5f38a0qp9251e11cd82p6bz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.