ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Ccai Manage

v1.0.0

Use when managing Alibaba Cloud Contact Center AI (ContactCenterAI) via OpenAPI/SDK, including the task involves Contact Center AI resource lifecycle operati...

0· 6·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to manage Alibaba Cloud ContactCenterAI and includes a script that fetches OpenAPI metadata from api.aliyun.com — this is coherent with the stated purpose. However, the registry metadata declares no required credentials while SKILL.md explicitly requires Alibaba Cloud credentials (ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and/or ~/.alibabacloud/credentials). The omission in metadata is an inconsistency (likely sloppy) that reduces transparency.
!
Instruction Scope
SKILL.md instructs the agent to discover APIs, call SDK/OpenAPI, and save artifacts under output/aliyun-ccai-manage/. It also names environment variables to use for credentials and tells the agent to include 'key parameters (region/resource id/time range)' in evidence files. The instructions access cloud credentials (via env or shared config) not declared in registry metadata and direct writing potentially sensitive identifiers to disk. The included Python script fetches metadata from the documented api.aliyun.com endpoints only (no hidden endpoints), which is expected.
Install Mechanism
No install spec; the skill is instruction-only with a small included Python script. The script only performs an HTTPS GET against api.aliyun.com and writes files under output/, which is low risk compared to download-and-execute installers.
!
Credentials
Requiring Alibaba Cloud access keys is proportionate to a cloud-management skill. The problem is the registry metadata does not declare these required environment variables or a primary credential, which is a transparency gap. Also, SKILL.md asks agents to persist 'evidence' containing resource identifiers to disk — that is reasonable for reproducibility but could leak sensitive resource context if not handled carefully. No unrelated credentials are requested.
Persistence & Privilege
The skill is not always: true and does not request system-level persistence. It writes outputs under its own output/ directory per its Output policy. Autonomous invocation is allowed by default (disable-model-invocation: false) but that is normal and not by itself flagged here.
What to consider before installing
Before installing or running this skill: 1) Be aware the skill expects Alibaba Cloud credentials (ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET or ~/.alibabacloud/credentials) even though the registry metadata doesn't list them—verify and supply least-privilege credentials scoped to ContactCenterAI only. 2) Inspect the included script (scripts/list_openapi_meta_apis.py) yourself — it fetches API metadata from api.aliyun.com and writes files to output/aliyun-ccai-manage/ (no hidden network endpoints were found). 3) Avoid placing long-lived or wide-scope credentials in the environment; consider using limited IAM keys, temporary tokens, or a dedicated sandbox account. 4) Review output/ files for any sensitive identifiers before sharing them; the SKILL.md explicitly asks to record region/resource ids/time ranges. 5) If you need stronger assurance, ask the publisher for a homepage/source, or request they add the required env vars to the package metadata and document least-privilege IAM permissions. If you cannot verify the source or cannot restrict credentials, do not run the skill with production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk975d9tts1ct3zva1d7jxer5y5840cr9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: service

Contact Center AI

Use Alibaba Cloud OpenAPI (RPC) with official SDKs or OpenAPI Explorer to manage resources for Contact Center AI.

Workflow

  1. Confirm region, resource identifiers, and desired action.
  2. Discover API list and required parameters (see references).
  3. Call API with SDK or OpenAPI Explorer.
  4. Verify results with describe/list APIs.

AccessKey priority (must follow)

  1. Environment variables: ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID Region policy: ALICLOUD_REGION_ID is an optional default. If unset, decide the most reasonable region for the task; if unclear, ask the user.
  2. Shared config file: ~/.alibabacloud/credentials

API discovery

  • Product code: ContactCenterAI
  • Default API version: 2024-06-03
  • Use OpenAPI metadata endpoints to list APIs and get schemas (see references).

High-frequency operation patterns

  1. Inventory/list: prefer List* / Describe* APIs to get current resources.
  2. Change/configure: prefer Create* / Update* / Modify* / Set* APIs for mutations.
  3. Status/troubleshoot: prefer Get* / Query* / Describe*Status APIs for diagnosis.

Minimal executable quickstart

Use metadata-first discovery before calling business APIs:

python scripts/list_openapi_meta_apis.py

Optional overrides:

python scripts/list_openapi_meta_apis.py --product-code <ProductCode> --version <Version>

The script writes API inventory artifacts under the skill output directory.

Output policy

If you need to save responses or generated artifacts, write them under: output/aliyun-ccai-manage/

Validation

mkdir -p output/aliyun-ccai-manage
for f in skills/ai/service/aliyun-ccai-manage/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/aliyun-ccai-manage/validate.txt

Pass criteria: command exits 0 and output/aliyun-ccai-manage/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/aliyun-ccai-manage/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

References

  • Sources: references/sources.md

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…