ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Cdn Manage

v1.0.0

Use when managing Alibaba Cloud CDN via OpenAPI/SDK, including CDN domain onboarding and lifecycle operations, cache refresh/preload, HTTPS certificate updat...

0· 0·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is Alibaba Cloud CDN management and the included Python script and documentation align with that. However, the package metadata lists no required environment variables or primary credential while the SKILL.md explicitly prioritizes ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID and ~/.alibabacloud/credentials as the credential sources. That mismatch (no declared credentials but instructions that require them) is inconsistent and unexpected for a cloud-management skill.
Instruction Scope
SKILL.md gives clear step-by-step guidance: discover APIs, query Describe* read-only endpoints first, then run mutating Add*/Set*/Delete* APIs, and save evidence under output/aliyun-cdn-manage/. It explicitly references environment variables and a shared credentials file (~/.alibabacloud/credentials). The only external network calls shown are to official Alibaba API metadata (api.aliyun.com). Instructions allow mutating operations (with a recommendation to confirm region and state first) — this is expected for a management skill but worth noting because those operations require credentials and care.
Install Mechanism
No install spec — instruction-only plus a small Python script included. There is no downloading or executing of remote archives, no package installs, and the script uses standard library urllib.request. This is low-risk from an install perspective.
!
Credentials
The SKILL.md expects cloud credentials (environment variables and a credentials file) and recommends STS temporary creds / least-privilege, which is appropriate for the purpose — but the registry metadata does not declare any required environment variables or a primary credential. That inconsistency reduces transparency: users and policy systems won't see that the skill needs secrets until runtime. Also, autonomous invocation combined with provided credentials could allow the agent to perform mutating actions if not explicitly limited.
Persistence & Privilege
The skill is not marked always:true and does not request system-level persistence. It writes outputs to a local output/aliyun-cdn-manage/ directory (documented). The skill does not modify other skills or global agent config. Normal autonomous invocation is allowed (disable-model-invocation is false), which is platform-default.
What to consider before installing
Things to check before installing or using this skill: - Clarify credential expectations: SKILL.md expects ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and optionally ALICLOUD_REGION_ID or ~/.alibabacloud/credentials, but the registry metadata declares no required secrets. Ask the publisher to declare required env vars/primary credential in metadata. - Use least-privilege, temporary STS credentials when possible and never supply long-lived root-level keys. Test with read-only credentials first. - Because the instructions allow mutating APIs, avoid giving the agent credentials unless you trust it and have safeguards (confirm region and operations, require interactive confirmation). Consider disabling autonomous invocation for this skill or restricting when it can run. - Review the included script (it only fetches API metadata from api.aliyun.com and writes to output/) and run it in an isolated environment to validate behavior. - If you need stronger assurance, request the publisher to add explicit manifest declarations (required env vars and primary credential) so automated policy controls and human reviewers can see the credential requirements ahead of time.

Like a lobster shell, security has layers — review code before you run it.

latestvk970p7z5y6snn7nnprgmkqq0ms842q87

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: service

Alibaba Cloud CDN

Purpose

Use Alibaba Cloud CDN OpenAPI (RPC) for common operations and integrations including:

  • accelerated domain lifecycle (create/configure/start-stop/delete)
  • cache refresh and preload (directory/file/domain)
  • HTTPS certificate configuration and updates
  • log and monitoring queries (real-time/offline)

Prerequisites

  • least-privilege RAM credentials are ready (STS temporary creds recommended).
  • domain ownership and acceleration scope policy are confirmed (mainland/global).
  • before mutating operations, validate current state using read-only APIs.

Workflow

  1. Define target resources: accelerated domains, business type, change window, and rollback criteria.
  2. Run API discovery and confirm target API names, required parameters, and version.
  3. Query current config/state with read-only APIs (Describe*) first.
  4. Execute mutating APIs (Add*/Set*/BatchSet*/Delete*) and record request context.
  5. Validate changes with monitoring/log APIs and save evidence in output/aliyun-cdn-manage/.

AccessKey Priority

  1. Environment variables:ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID
  2. Shared credentials file:~/.alibabacloud/credentials

If region/environment is unclear, confirm with user before mutating operations.

API Discovery

  • Product code: cdn
  • Default API version: 2018-05-10
  • Metadata source: https://api.aliyun.com/meta/v1/products/cdn/versions/2018-05-10/api-docs.json

Minimal Executable Quickstart

python skills/network/cdn/aliyun-cdn-manage/scripts/list_openapi_meta_apis.py

Optional arguments:

python skills/network/cdn/aliyun-cdn-manage/scripts/list_openapi_meta_apis.py \
  --product-code cdn \
  --version 2018-05-10 \
  --output-dir output/aliyun-cdn-manage

Common Operation Map

  • Domain management:AddCdnDomainDescribeUserDomainsDescribeCdnDomainDetailDeleteCdnDomain
  • Cache refresh/preload:RefreshObjectCaches(refresh)、PushObjectCache(preload)
  • HTTPS certificate: SetDomainServerCertificate, DescribeDomainCertificateInfo
  • Logs and monitoring:DescribeCdnDomainLogsDescribeDomainRealTimeRequestStatDataDescribeDomainRealTimeBpsData

Output Policy

Write generated files and execution evidence to: output/aliyun-cdn-manage/

Validation

mkdir -p output/aliyun-cdn-manage
for f in skills/network/cdn/aliyun-cdn-manage/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/aliyun-cdn-manage/validate.txt

Pass criteria: command exits 0 and output/aliyun-cdn-manage/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/aliyun-cdn-manage/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

References

  • Source list: references/sources.md

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…