ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Security Cloudfw

v1.0.3

Manage Alibaba Cloud Cloud Firewall (Cloudfw) via OpenAPI/SDK. Use whenever the user requests firewall policy/resource operations, change management, status...

0· 1.2k·2 current·2 all-time
by@cinience

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cinience/alicloud-security-cloudfw.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Alicloud Security Cloudfw" (cinience/alicloud-security-cloudfw) from ClawHub.
Skill page: https://clawhub.ai/cinience/alicloud-security-cloudfw
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install alicloud-security-cloudfw

ClawHub CLI

Package manager switcher

npx clawhub@latest install alicloud-security-cloudfw
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description match the code and SKILL.md: this is an Alibaba Cloud Cloudfw management helper. However, SKILL.md explicitly instructs use of ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and ~/.alibabacloud/credentials, yet the registry metadata declares no required env vars or config paths. That discrepancy is unexpected and reduces transparency about what privileges the skill will need at runtime.
!
Instruction Scope
The SKILL.md directs the agent to perform discovery, SDK/OpenAPI calls (including Create/Update/Modify operations) and to use credentials from env vars or the shared credentials file. The included script itself only fetches public API metadata, but the instructions explicitly authorize mutating operations and accessing credential sources (env vars, ~/.alibabacloud/credentials). Those file/env accesses are not reflected in the skill's declared requirements and could lead to credential use that the registry metadata doesn't make obvious.
Install Mechanism
No install spec; the skill is instruction-first and ships a small Python script that fetches public metadata from api.aliyun.com and writes outputs to output/alicloud-security-cloudfw/. No archives or external installers are downloaded or executed.
!
Credentials
SKILL.md asks for Alibaba Cloud access key/secret and optional region and for reading the shared credentials file, but the skill metadata lists no required env vars or config paths. Requesting full access keys for a skill that could be used only for discovery is reasonable in some contexts, but the missing declaration is disproportionate and reduces user ability to enforce least privilege. The SKILL.md also instructs to include key parameters (region/resource id/time range) in output artifacts, which could leak sensitive identifiers if outputs are shared.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It writes outputs under its own output directory per the docs, which is normal. There is no install-time persistence mechanism.
What to consider before installing
This skill appears to be a legitimate Alibaba Cloud Cloudfw helper, but there are transparency gaps you should address before installing or running it: - The SKILL.md expects ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and a ~/.alibabacloud/credentials file, yet the registry metadata declares no required credentials — ask the publisher to correct the metadata or explicitly confirm what credentials will be used. - Treat credentials cautiously: provide least-privilege keys (ideally read-only when you first test), and do not expose full admin keys unless you understand and trust the skill. - Because the instructions permit mutating API calls (Create/Update/Modify), require the skill to prompt for explicit user confirmation before performing any non-read-only operation. - The included script only fetches public API metadata from api.aliyun.com and is benign, but the agent runtime (per SKILL.md) may invoke SDKs that use credentials. Verify or request that the skill document a safe default (e.g., dry-run/read-only mode) and a clear confirmation step for changes. - Confirm where outputs will be saved (output/alicloud-security-cloudfw/) and avoid sharing those artifacts if they contain resource identifiers or timestamps you consider sensitive. - Because the source/homepage is unknown, consider reviewing the full skill code and SKILL.md locally, and run it first in an isolated environment with limited credentials. If the publisher updates the registry metadata to declare the required env vars/config paths and adds an explicit confirmation flow for mutating operations, that would increase confidence; until then, proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk972c2c8er11mm092sh493wh1n82qvqn
1.2kdownloads
0stars
4versions
Updated 12h ago
v1.0.3
MIT-0
@cinience
latest
Download

Category: service

Cloud Firewall

Use Alibaba Cloud OpenAPI (RPC) with official SDKs or OpenAPI Explorer to manage resources for Cloud Firewall.

Workflow

  1. Confirm region, resource identifiers, and desired action.
  2. Discover API list and required parameters (see references).
  3. Call API with SDK or OpenAPI Explorer.
  4. Verify results with describe/list APIs.

AccessKey priority (must follow)

  1. Environment variables: ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID Region policy: ALICLOUD_REGION_ID is an optional default. If unset, decide the most reasonable region for the task; if unclear, ask the user.
  2. Shared config file: ~/.alibabacloud/credentials

API discovery

  • Product code: Cloudfw
  • Default API version: 2017-12-07
  • Use OpenAPI metadata endpoints to list APIs and get schemas (see references).

High-frequency operation patterns

  1. Inventory/list: prefer List* / Describe* APIs to get current resources.
  2. Change/configure: prefer Create* / Update* / Modify* / Set* APIs for mutations.
  3. Status/troubleshoot: prefer Get* / Query* / Describe*Status APIs for diagnosis.

Minimal executable quickstart

Use metadata-first discovery before calling business APIs:

python scripts/list_openapi_meta_apis.py

Optional overrides:

python scripts/list_openapi_meta_apis.py --product-code <ProductCode> --version <Version>

The script writes API inventory artifacts under the skill output directory.

Output policy

If you need to save responses or generated artifacts, write them under: output/alicloud-security-cloudfw/

Validation

mkdir -p output/alicloud-security-cloudfw
for f in skills/security/firewall/alicloud-security-cloudfw/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/alicloud-security-cloudfw/validate.txt

Pass criteria: command exits 0 and output/alicloud-security-cloudfw/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/alicloud-security-cloudfw/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

References

  • Sources: references/sources.md

Comments

Loading comments...