ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Security Kms

v1.0.3

Manage Alibaba Cloud Key Management Service (KMS) via OpenAPI/SDK. Use whenever the user needs key lifecycle/resource operations, policy/configuration change...

0· 1.1k·2 current·2 all-time
by@cinience

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cinience/alicloud-security-kms.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Alicloud Security Kms" (cinience/alicloud-security-kms) from ClawHub.
Skill page: https://clawhub.ai/cinience/alicloud-security-kms
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install alicloud-security-kms

ClawHub CLI

Package manager switcher

npx clawhub@latest install alicloud-security-kms
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is Alibaba Cloud KMS management and the runtime instructions clearly require Alibaba Cloud credentials and access to OpenAPI metadata; that capability is coherent with the name and description. However, the registry metadata lists no required environment variables or primary credential even though SKILL.md requires ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET (and optionally ALICLOUD_REGION_ID) or a shared credentials file. The omission is an inconsistency between claimed requirements and declared requirements.
Instruction Scope
SKILL.md gives narrow, expected instructions: discover API metadata, use SDK/OpenAPI to call KMS APIs, save outputs to output/alicloud-security-kms/, and prefer least-privilege credentials. It does not instruct reading unrelated system files or exfiltrating data to unusual endpoints. The only external network access is to api.aliyun.com for API metadata, which matches the skill purpose.
Install Mechanism
No install spec is provided (instruction-only) and the only included code is a small Python script that fetches OpenAPI metadata from api.aliyun.com and writes JSON/MD to the local output directory. No downloads of arbitrary code, no archive extraction, and no non-standard binary installation are present.
!
Credentials
The SKILL.md expects sensitive credentials (ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET) and references a shared config path (~/.alibabacloud/credentials). Those are appropriate and proportionate for a KMS management skill, but they are not declared in the skill's metadata (required env vars / primary credential). That mismatch makes it unclear to the platform or user what secrets will be requested or needed.
Persistence & Privilege
The skill does not request always:true, does not declare system-wide config changes, and is user-invocable with autonomous invocation allowed (the platform default). There is no evidence the skill tries to persist itself beyond normal outputs in its own output directory.
What to consider before installing
This skill's code and instructions are consistent with an Alibaba Cloud KMS helper, but its registry metadata fails to declare that it needs your Alibaba Cloud access key and secret. Before installing or invoking: (1) treat this as a skill that will require your ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET — only provide least-privilege credentials (prefer read-only or limited KMS permissions) and avoid long-lived full-admin keys; (2) review the included script locally to confirm it only fetches api.aliyun.com metadata (it does); (3) run first in a sandbox or with test account/keys; (4) ask the publisher to update the skill metadata to list the required env vars and primary credential so the platform can surface the exact secret requests; and (5) for any mutating operations, confirm region and ask the agent to prompt you before performing changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dtvfwdt8k7xm8j306f5xc6982q192
1.1kdownloads
0stars
4versions
Updated 12h ago
v1.0.3
MIT-0
@cinience
latest
Download

Category: service

Key Management Service

Validation

mkdir -p output/alicloud-security-kms
python -m py_compile skills/security/key-management/alicloud-security-kms/scripts/list_openapi_meta_apis.py && echo "py_compile_ok" > output/alicloud-security-kms/validate.txt

Pass criteria: command exits 0 and output/alicloud-security-kms/validate.txt is generated.

Output And Evidence

  • Save KMS API discovery outputs and operation results in output/alicloud-security-kms/.
  • Keep at least one request parameter example per operation type.

Use Alibaba Cloud OpenAPI (RPC) with official SDKs or OpenAPI Explorer to manage resources for KeyManagementService.

Workflow

  1. Confirm region, resource identifiers, and desired action.
  2. Discover API list and required parameters (see references).
  3. Call API with SDK or OpenAPI Explorer.
  4. Verify results with describe/list APIs.

AccessKey priority (must follow)

  1. Environment variables: ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID Region policy: ALICLOUD_REGION_ID is an optional default. If unset, decide the most reasonable region for the task; if unclear, ask the user.
  2. Shared config file: ~/.alibabacloud/credentials

API discovery

  • Product code: Kms
  • Default API version: 2016-01-20
  • Use OpenAPI metadata endpoints to list APIs and get schemas (see references).

High-frequency operation patterns

  1. Inventory/list: prefer List* / Describe* APIs to get current resources.
  2. Change/configure: prefer Create* / Update* / Modify* / Set* APIs for mutations.
  3. Status/troubleshoot: prefer Get* / Query* / Describe*Status APIs for diagnosis.

Minimal executable quickstart

Use metadata-first discovery before calling business APIs:

python scripts/list_openapi_meta_apis.py

Optional overrides:

python scripts/list_openapi_meta_apis.py --product-code <ProductCode> --version <Version>

The script writes API inventory artifacts under the skill output directory.

Output policy

If you need to save responses or generated artifacts, write them under: output/alicloud-security-kms/

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

References

  • Sources: references/sources.md

Comments

Loading comments...