ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Live Manage

v1.0.0

Use when managing Alibaba Cloud ApsaraVideo Live resources and workflows via OpenAPI/SDK, including live domain configuration, stream ingest and playback set...

0· 4·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, templates, and the included Python script all align with managing ApsaraVideo Live via OpenAPI metadata and SDKs. The provided script fetches API metadata from api.aliyun.com and writes it to output/aliyun-live-manage, which is coherent with the stated purpose.
Instruction Scope
SKILL.md limits runtime actions to discovering metadata, running read-only Describe/List calls first, and saving evidence under output/aliyun-live-manage. It does recommend using credentials for write operations (and to confirm region before writes). There are no instructions to read unrelated system files or to send data to endpoints outside the Alibaba OpenAPI endpoints, but the guidance to use shared credentials implies the agent may access local credential files or environment variables.
Install Mechanism
No install spec; instruction-only skill plus a small helper script. No external downloads or archive extraction. Low install risk.
!
Credentials
SKILL.md explicitly recommends using ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, ALICLOUD_REGION_ID and the shared config file ~/.alibabacloud/credentials, yet the registry lists no required env vars or config paths. The helper script itself only reads OPENAPI_META_TIMEOUT (not declared) and fetches a public metadata URL, but the skill's intended write operations would need cloud credentials — this mismatch between declared requirements and instructions is an incoherence and could lead to unexpected credential use.
Persistence & Privilege
always:false and no modifications to other skills or system-wide settings. The skill does not request persistent presence or elevated platform privileges.
What to consider before installing
This skill appears to be a legitimate helper for Alibaba Cloud ApsaraVideo Live, but the SKILL.md expects you to provide Alibaba credentials (ALICLOUD_ACCESS_KEY_ID/SECRET or ~/.alibabacloud/credentials) even though the registry metadata doesn't declare them. Before installing: (1) confirm you want the agent to have any Alibaba credentials and provide only least-privilege RAM/STS credentials limited to the relevant region and Live APIs; (2) verify the skill source (homepage is missing) and inspect the files locally; (3) if you don't intend the skill to perform write operations, run it in read-only mode and avoid supplying write-capable keys; (4) ask the publisher to update registry metadata to declare the required env vars/config paths to remove the mismatch. If you cannot verify the source or do not want the agent to access cloud credentials, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk979yj6af8g5jxwved4s8b9t6s84271f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: service

ApsaraVideo Live

Validation

mkdir -p output/aliyun-live-manage
python -m py_compile skills/media/live/aliyun-live-manage/scripts/list_openapi_meta_apis.py
echo "py_compile_ok" > output/aliyun-live-manage/validate.txt

Pass criteria: command exits 0 and output/aliyun-live-manage/validate.txt is generated.

Output And Evidence

  • Save API inventory and operation evidence under output/aliyun-live-manage/.
  • Keep region, domain, app/stream, and request parameters in evidence files.

Use Alibaba Cloud OpenAPI (RPC) with official SDKs or OpenAPI Explorer to manage Live resources. Prefer metadata-first API discovery before mutate operations.

Prerequisites

  • Prepare least-privilege RAM AccessKey/STS credentials.
  • Confirm target region and live domain scope before changes.
  • Query current state with read-only APIs (Describe* / List*) before Add* / Set* / Delete*.

Workflow

  1. Confirm target live domain, app name/stream name, and desired operation.
  2. Discover API names and required parameters via metadata and API Explorer.
  3. Execute read-only validation calls.
  4. Apply change operations with rollback plan.
  5. Save results and context under output/aliyun-live-manage/.

AccessKey Priority

  1. Environment variables: ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID.
  2. Shared config file: ~/.alibabacloud/credentials.

If region is ambiguous, ask before write operations.

API Discovery

  • Product code: live
  • Default API version: 2016-11-01
  • Metadata source: https://api.aliyun.com/meta/v1/products/live/versions/2016-11-01/api-docs.json

Minimal Executable Quickstart

python skills/media/live/aliyun-live-manage/scripts/list_openapi_meta_apis.py

Optional overrides:

python skills/media/live/aliyun-live-manage/scripts/list_openapi_meta_apis.py \
  --product-code live \
  --version 2016-11-01 \
  --output-dir output/aliyun-live-manage

Common Operation Mapping

  • Domain management: AddLiveDomain, DeleteLiveDomain, DescribeLiveDomains
  • Stream ingest/play auth: AddLiveDomainMapping, SetLiveDomainStagingConfig
  • Record/transcode/template: AddLiveRecordTemplate, AddLiveTranscodeTemplate, DescribeLiveRecordConfig
  • Monitor and metrics: DescribeLiveStreamOnlineList, DescribeLiveDomainBpsData, DescribeLiveDomainTrafficData
  • Stream control: ForbidLiveStream, ResumeLiveStream, AddLiveAppRecordConfig

Output Policy

Write all generated files and execution evidence under: output/aliyun-live-manage/

References

  • Source list: references/sources.md
  • Task templates: references/templates.md

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…