ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Cli Manage

v1.0.0

Use when users need command-line operations on Alibaba Cloud resources (list/query/create/update/delete), credential/profile setup, region/endpoint selection...

0· 97·0 current·0 all-time
by@cinience
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (manage Alibaba Cloud via the aliyun CLI) match the included script and SKILL.md. The script's behavior (detect, download official package, install, run version) is appropriate for a CLI management skill.
Instruction Scope
SKILL.md tells the agent to validate, run the bundled ensure_aliyun_cli.py, configure credentials, run aliyun help and read-only queries before mutating actions, and save outputs to a local output directory. The instructions do not ask for unrelated files, hostnames, or other service credentials.
Install Mechanism
The script downloads and extracts an archive from https://aliyuncli.alicdn.com (official Alibaba CDN) and copies the contained 'aliyun' binary into a user-specified or default install dir (~/.local/bin) or overwrites an existing writable 'aliyun' in PATH. Download+extract is necessary for this purpose but carries the usual risks: the script does not perform signature/checksum verification of the downloaded archive.
Credentials
The skill does not declare required secrets; the SKILL.md recommends providing Alibaba Cloud credentials (AK/SK or env vars) which is proportional to a cloud CLI tool. The only environment variables the script reads are for update controls (check interval, force update, min version, install dir). There are no unrelated credentials requested.
Persistence & Privilege
The skill writes a state file (~/.cache/aliyun-cli-manage/state.json) and installs/updates a binary in a user directory (default ~/.local/bin) or an existing writable PATH location. It does not request system-wide 'always: true' privileges or modify other skills, but it will modify the local filesystem and potentially overwrite an existing aliyun binary if writable.
Assessment
This skill behaves like a normal CLI helper: it will download and install the official aliyun CLI binary and then run aliyun commands. Before installing, consider: (1) verify the download URL (the script uses aliyuncli.alicdn.com, Alibaba's CDN) and run the script in a safe environment if you have concerns; (2) the script does not verify archive signatures — if you need stronger assurance, download and verify the release manually and pass --binary-path to the script; (3) it will write a state file to ~/.cache/aliyun-cli-manage and install to ~/.local/bin by default (you can override via env or args); (4) provide least-privilege Alibaba credentials and review command parameters before allowing mutating operations; (5) if you want to avoid any automatic changes to your system binary, run the tool in an isolated/containerized environment or invoke the script with --binary-path pointing to a controlled location.

Like a lobster shell, security has layers — review code before you run it.

latestvk976x6qf6ytejcrspdbfwq39wx842gr3
97downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@cinience
latest
Download

Category: tool

Alibaba Cloud Generic CLI (aliyun) Skill

Validation

mkdir -p output/aliyun-cli-manage
python skills/platform/cli/aliyun-cli-manage/scripts/ensure_aliyun_cli.py --help > output/aliyun-cli-manage/validate-help.txt

Pass criteria: command exits 0 and output/aliyun-cli-manage/validate-help.txt is generated.

Output And Evidence

  • Save CLI version checks, API outputs, and error logs under output/aliyun-cli-manage/.
  • For each mutating action, keep request parameters and result summaries.

Goals

  • Use official aliyun CLI to execute Alibaba Cloud OpenAPI operations.
  • Provide a standard flow for install, configuration, API discovery, execution, and troubleshooting.

Quick Flow

  1. Run the version guard script first (check first, then decide whether to upgrade).
  2. If not installed or check interval reached, the script downloads and installs the latest official package.
  3. Configure credentials and default region (recommend default profile).
  4. Use aliyun <product> --help / aliyun <product> <ApiName> --help to confirm parameters.
  5. Run read-only queries first, then mutating operations.

Version Guard (Practical)

Prefer the bundled script to avoid unnecessary downloads on every run:

python skills/platform/cli/aliyun-cli-manage/scripts/ensure_aliyun_cli.py

Default behavior:

  • Check interval: 24 hours (configurable via environment variable).
  • Within interval and version is sufficient: skip download.
  • Exceeded interval / not installed / below minimum version: auto-download and install latest official package.

Optional controls (environment variables):

  • ALIYUN_CLI_CHECK_INTERVAL_HOURS=24:check interval.
  • ALIYUN_CLI_FORCE_UPDATE=1:force update (ignore interval).
  • ALIYUN_CLI_MIN_VERSION=3.2.9:minimum acceptable version.
  • ALIYUN_CLI_INSTALL_DIR=~/.local/bin:installation directory.

Manual parameter examples:

python skills/platform/cli/aliyun-cli-manage/scripts/ensure_aliyun_cli.py \
  --interval-hours 24 \
  --min-version 3.2.9

Install (Linux example)

curl -fsSL https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz -o /tmp/aliyun-cli.tgz
mkdir -p ~/.local/bin
tar -xzf /tmp/aliyun-cli.tgz -C /tmp
mv /tmp/aliyun ~/.local/bin/aliyun
chmod +x ~/.local/bin/aliyun
~/.local/bin/aliyun version

Configure Credentials

aliyun configure set \
  --profile default \
  --mode AK \
  --access-key-id <AK> \
  --access-key-secret <SK> \
  --region cn-hangzhou

View configured profiles:

aliyun configure list

Command structure

  • Generic form:aliyun <product> <ApiName> --Param1 value1 --Param2 value2
  • REST form:aliyun <product> [GET|POST|PUT|DELETE] <PathPattern> --body '...json...'

API Discovery and Parameter Validation

aliyun help
aliyun ecs --help
aliyun ecs DescribeRegions --help

Common Read-Only Examples

# ECS: list regions
aliyun ecs DescribeRegions

# ECS: list instances by region
aliyun ecs DescribeInstances --RegionId cn-hangzhou

# SLS: list projects by endpoint
aliyun sls ListProject --endpoint cn-hangzhou.log.aliyuncs.com --size 100

Common Issues

  • InvalidAccessKeyId.NotFound / SignatureDoesNotMatch:check AK/SK and profile.
  • MissingRegionId:add --region or configure default region in profile.
  • for SLS endpoint errors, explicitly pass --endpoint <region>.log.aliyuncs.com.

Execution Recommendations

  • Run ensure_aliyun_cli.py before starting tasks.
  • If resource scope is unclear, query first then mutate.
  • Before delete/overwrite operations, output the target resource list first.
  • For batch operations, validate one item in a small scope first.

References

  • Official source list:references/sources.md

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

Workflow

  1. Confirm user intent, region, identifiers, and whether the operation is read-only or mutating.
  2. Run one minimal read-only query first to verify connectivity and permissions.
  3. Execute the target operation with explicit parameters and bounded scope.
  4. Verify results and save output/evidence files.

Comments

Loading comments...