ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Security Content Moderation Green

v1.0.3

Manage Alibaba Cloud Content Moderation (Green) via OpenAPI/SDK. Use whenever the user needs content moderation resource and policy operations, including lis...

0· 1.2k·2 current·3 all-time
by@cinience

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cinience/alicloud-security-content-moderation-green.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Alicloud Security Content Moderation Green" (cinience/alicloud-security-content-moderation-green) from ClawHub.
Skill page: https://clawhub.ai/cinience/alicloud-security-content-moderation-green
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install alicloud-security-content-moderation-green

ClawHub CLI

Package manager switcher

npx clawhub@latest install alicloud-security-content-moderation-green
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is for Alibaba Cloud Content Moderation (Green) and the included script and docs point at the official Alibaba API metadata endpoints — that matches the stated purpose. However, the registry metadata lists no required credentials or config paths while the SKILL.md explicitly requires Alibaba Cloud access keys and may perform create/update operations. The omission of those required credentials from the skill manifest is an inconsistency.
!
Instruction Scope
SKILL.md instructs the agent to call OpenAPI/SDK methods including List/Create/Update/Modify operations and to use credentials from environment variables or ~/.alibabacloud/credentials. The included script only fetches public API metadata, but the textual instructions authorize mutating cloud APIs and reading shared config (~/.alibabacloud/credentials). The manifest did not declare read access to that config path, so the runtime instructions allow broader scope than the declared skill footprint.
Install Mechanism
There is no install spec and only one small Python script which queries a public Alibaba API metadata URL. No downloads from unknown hosts or archive extraction are used. This is low-risk from an install perspective.
!
Credentials
SKILL.md requires ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, and optionally ALICLOUD_REGION_ID (and references ~/.alibabacloud/credentials). Yet the skill metadata declares no required environment variables or primary credential. Requesting cloud credentials for a skill that can perform mutating operations is reasonable — but the manifest should explicitly list and justify them. The current mismatch could cause a user to grant credentials without realizing the skill will use them for mutations.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence or attempt to modify other skills' configuration. Autonomous invocation is allowed (platform default) but not combined with any additional privileged flags.
What to consider before installing
Before installing or running this skill: (1) Ask the author/maintainer to update the skill metadata to explicitly declare required env vars (ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID) and any config path (~/.alibabacloud/credentials). (2) Only provide least-privilege credentials (prefer read-only scope or a narrowly-scoped role) and test in a non-production account first. (3) Understand that SKILL.md allows mutating APIs (Create/Update); if you only need inventory/read operations request a read-only version. (4) Confirm whether the agent will run those mutating operations autonomously — if you want to prevent automatic changes, deny or rotate credentials or require explicit user approval for mutations. (5) If you need higher assurance, request the author publish the code in a public repo and include a manifest declaring required envs and an explicit list of API calls the skill may make. If the manifest is corrected to list only read-only credentials and the skill is limited to metadata fetching/listing, the incoherence would be resolved and my concern would be reduced.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eg6axyae0b682t4ghx9w3bx82q226
1.2kdownloads
0stars
4versions
Updated 11h ago
v1.0.3
MIT-0
@cinience
latest
Download

Category: service

Content Moderation (Green)

Use Alibaba Cloud OpenAPI (RPC) with official SDKs or OpenAPI Explorer to manage resources for Content Moderation.

Workflow

  1. Confirm region, resource identifiers, and desired action.
  2. Discover API list and required parameters (see references).
  3. Call API with SDK or OpenAPI Explorer.
  4. Verify results with describe/list APIs.

AccessKey priority (must follow)

  1. Environment variables: ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID Region policy: ALICLOUD_REGION_ID is an optional default. If unset, decide the most reasonable region for the task; if unclear, ask the user.
  2. Shared config file: ~/.alibabacloud/credentials

API discovery

  • Product code: Green
  • Default API version: 2022-09-26
  • Use OpenAPI metadata endpoints to list APIs and get schemas (see references).

High-frequency operation patterns

  1. Inventory/list: prefer List* / Describe* APIs to get current resources.
  2. Change/configure: prefer Create* / Update* / Modify* / Set* APIs for mutations.
  3. Status/troubleshoot: prefer Get* / Query* / Describe*Status APIs for diagnosis.

Minimal executable quickstart

Use metadata-first discovery before calling business APIs:

python scripts/list_openapi_meta_apis.py

Optional overrides:

python scripts/list_openapi_meta_apis.py --product-code <ProductCode> --version <Version>

The script writes API inventory artifacts under the skill output directory.

Output policy

If you need to save responses or generated artifacts, write them under: output/alicloud-security-content-moderation-green/

Validation

mkdir -p output/alicloud-security-content-moderation-green
for f in skills/security/content/alicloud-security-content-moderation-green/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/alicloud-security-content-moderation-green/validate.txt

Pass criteria: command exits 0 and output/alicloud-security-content-moderation-green/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/alicloud-security-content-moderation-green/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

References

  • Sources: references/sources.md

Comments

Loading comments...