Aliyun Platform Docs Review
v1.0.0Use when reviewing latest Alibaba Cloud product docs and OpenAPI docs by product name, then output detailed prioritized improvement suggestions with evidence...
⭐ 0· 8·0 current·0 all-time
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description claim a docs + API reviewer for Alibaba Cloud and the included script implements web/API fetches and analysis of public metadata — that aligns. However SKILL.md asks the user to “Configure least-privilege Alibaba Cloud credentials” (ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional region) even though the skill manifest declares no required env vars and the visible script does not reference environment credentials. This inconsistency is disproportionate to the stated purpose.
Instruction Scope
The SKILL.md instructs the agent to collect and save evidence under output/..., and to include key parameters (region/resource id/time range) for reproducibility. Asking to capture region/resource IDs may cause collection of identifiers that could be sensitive. The script (as provided) fetches public endpoints (api.aliyun.com, www.aliyun.com, help.aliyun.com) which is expected, but the instructions also advise configuring cloud credentials and to ask before running mutating operations — the script appears read-only in the shown portion, so these extra instructions constitute scope creep and possible overreach.
Install Mechanism
No install spec; this is an instruction-only skill with a bundled Python script. No downloads or external installers are executed by the skill manifest itself, which is low-risk from an install-mechanism perspective.
Credentials
Manifest lists no required env vars, but SKILL.md explicitly recommends providing Alibaba Cloud credentials via ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and possibly region. The provided script does HTTP(S) requests and parsing of public pages and shows no use of credentials in the visible code. Requesting credentials (and asking evidence to include region/resource ids) without code-level justification is disproportionate and could enable accidental disclosure of secrets if users follow guidance.
Persistence & Privilege
always is false, no service installation, and the skill writes only to a local output/ directory per SKILL.md. It does not request persistent agent-level privileges or modify other skills. This is low-privilege.
What to consider before installing
This skill appears to perform public web/API scraping of Alibaba Cloud docs and produce a report, which matches its description. However, SKILL.md asks you to set Alibaba Cloud credentials and to include region/resource IDs in evidence, while the manifest declares no env vars and the visible script doesn't use credentials — that mismatch is concerning.
Before installing or running:
- Ask the skill author/maintainer to explain why credentials are needed and update the manifest if they truly are required.
- Review the rest of the script (the truncated portion) to confirm there is no code that uses or exfiltrates credentials or other secrets.
- Do not provide production credentials; if credentials are truly needed, provide a tightly-scoped read-only key in a sandbox account or use a throwaway test key.
- Run the script in an isolated environment (no access to sensitive networks) and inspect output/ files to ensure they don't inadvertently include secrets or sensitive resource identifiers.
- If you cannot get a satisfactory explanation for the credential requirement, treat the credential request as unnecessary and avoid supplying secrets.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Alibaba Cloud Product Docs + API Docs Reviewer
Use this skill when the user gives a product name and asks for an end-to-end documentation/API quality review.
What this skill does
- Resolve product from latest OpenAPI metadata.
- Fetch latest API docs for default version.
- Discover product/help-doc links from official product page.
- Produce a structured review report with:
- score
- evidence
- prioritized suggestions (P0/P1/P2)
Workflow
Run the bundled script:
python skills/platform/docs/aliyun-platform-docs-review/scripts/review_product_docs_and_api.py --product "<product name or product code>"
Example:
python skills/platform/docs/aliyun-platform-docs-review/scripts/review_product_docs_and_api.py --product "ECS"
Output policy
All generated artifacts must be written under:
output/aliyun-platform-docs-review/
For each run, the script creates:
review_evidence.jsonreview_report.md
Reporting guidance
When answering the user:
- State resolved product + version first.
- Summarize the score and the top 3 issues.
- List P0/P1/P2 recommendations with concrete actions.
- Provide source links used in the report.
Validation
mkdir -p output/aliyun-platform-docs-review
for f in skills/platform/docs/aliyun-platform-docs-review/scripts/*.py; do
python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/aliyun-platform-docs-review/validate.txt
Pass criteria: command exits 0 and output/aliyun-platform-docs-review/validate.txt is generated.
Output And Evidence
- Save artifacts, command outputs, and API response summaries under
output/aliyun-platform-docs-review/. - Include key parameters (region/resource id/time range) in evidence files for reproducibility.
Prerequisites
- Configure least-privilege Alibaba Cloud credentials before execution.
- Prefer environment variables:
ALICLOUD_ACCESS_KEY_ID,ALICLOUD_ACCESS_KEY_SECRET, optionalALICLOUD_REGION_ID. - If region is unclear, ask the user before running mutating operations.
References
- Review rubric:
references/review-rubric.md
Files
4 totalSelect a file
Select a file to preview.
Comments
Loading comments…