ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Cloudfw Manage

v1.0.0

Use when managing Alibaba Cloud Cloud Firewall (Cloudfw) via OpenAPI/SDK, including the user requests firewall policy/resource operations, change management,...

0· 85·0 current·0 all-time
by@cinience

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cinience/aliyun-cloudfw-manage.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Aliyun Cloudfw Manage" (cinience/aliyun-cloudfw-manage) from ClawHub.
Skill page: https://clawhub.ai/cinience/aliyun-cloudfw-manage
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install aliyun-cloudfw-manage

ClawHub CLI

Package manager switcher

npx clawhub@latest install aliyun-cloudfw-manage
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (manage Alibaba Cloud CloudFW) legitimately requires Alibaba Cloud credentials and region information. However, the registry metadata lists no required env vars, primary credential, or config paths even though SKILL.md explicitly prioritizes ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID and ~/.alibabacloud/credentials. This mismatch is incoherent: someone building this skill should declare those requirements.
!
Instruction Scope
SKILL.md instructs the agent to use environment variables and a shared credentials file (~/.alibabacloud/credentials), to call SDK/OpenAPI (including mutating Create/Update/Modify APIs), and to write artifacts under output/aliyun-cloudfw-manage/. Those instructions are reasonable for a CloudFW manager, but they reference reading credentials and potentially performing mutations while the package metadata does not surface or restrict those capabilities. The script included only fetches public API metadata from api.aliyun.com (expected).
Install Mechanism
No install spec — instruction-only plus a small Python script that fetches metadata from the official api.aliyun.com endpoints. No remote, untrusted binary downloads or extraction. Low install risk.
!
Credentials
The credentials requested in SKILL.md (ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and optional ALICLOUD_REGION_ID) are proportional to the stated purpose. The problem is they are not declared in the skill metadata (requires.env / primaryEnv) and the skill instructs reading ~/.alibabacloud/credentials without declaring that config path. This omission makes it unclear to users/administrators what secrets the skill will use or require.
Persistence & Privilege
always is false and the skill does not request system-wide modification or persistent elevated privileges. The agent can invoke the skill autonomously by default (disable-model-invocation is false), which is platform-standard; combine this with the credential mismatch and you should be cautious about allowing autonomous runs that could perform mutating API calls.
What to consider before installing
Before installing or enabling this skill: (1) Require the publisher to update the skill metadata to declare the exact required env vars (ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID) and the config path (~/.alibabacloud/credentials) so the platform can surface permission prompts. (2) Only provide least-privilege Alibaba Cloud credentials (narrow IAM policy) and test with read-only credentials first. (3) Review and run the included script locally to verify behavior (it fetches public metadata from api.aliyun.com). (4) If you allow autonomous invocation, restrict or audit mutating operations (Create/Update/Modify) — consider disabling autonomous invocation until metadata/behavior is clarified. (5) If the publisher cannot justify the missing metadata, treat the omission as a red flag and avoid giving credentials or enabling the skill for production use.

Like a lobster shell, security has layers — review code before you run it.

latestvk974xq2xyw62j3h4ybqtxyb0y9842e6b
85downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@cinience
latest
Download

Category: service

Cloud Firewall

Use Alibaba Cloud OpenAPI (RPC) with official SDKs or OpenAPI Explorer to manage resources for Cloud Firewall.

Workflow

  1. Confirm region, resource identifiers, and desired action.
  2. Discover API list and required parameters (see references).
  3. Call API with SDK or OpenAPI Explorer.
  4. Verify results with describe/list APIs.

AccessKey priority (must follow)

  1. Environment variables: ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID Region policy: ALICLOUD_REGION_ID is an optional default. If unset, decide the most reasonable region for the task; if unclear, ask the user.
  2. Shared config file: ~/.alibabacloud/credentials

API discovery

  • Product code: Cloudfw
  • Default API version: 2017-12-07
  • Use OpenAPI metadata endpoints to list APIs and get schemas (see references).

High-frequency operation patterns

  1. Inventory/list: prefer List* / Describe* APIs to get current resources.
  2. Change/configure: prefer Create* / Update* / Modify* / Set* APIs for mutations.
  3. Status/troubleshoot: prefer Get* / Query* / Describe*Status APIs for diagnosis.

Minimal executable quickstart

Use metadata-first discovery before calling business APIs:

python scripts/list_openapi_meta_apis.py

Optional overrides:

python scripts/list_openapi_meta_apis.py --product-code <ProductCode> --version <Version>

The script writes API inventory artifacts under the skill output directory.

Output policy

If you need to save responses or generated artifacts, write them under: output/aliyun-cloudfw-manage/

Validation

mkdir -p output/aliyun-cloudfw-manage
for f in skills/security/firewall/aliyun-cloudfw-manage/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/aliyun-cloudfw-manage/validate.txt

Pass criteria: command exits 0 and output/aliyun-cloudfw-manage/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/aliyun-cloudfw-manage/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

References

  • Sources: references/sources.md

Comments

Loading comments...