ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Rds Supabase

v1.0.0

Use when managing Alibaba Cloud RDS Supabase (RDS AI Service 2025-05-07) via OpenAPI, including creating, starting/stopping/restarting instances, resetting p...

0· 9·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name and description (managing Alibaba Cloud RDS Supabase via OpenAPI) match the instructions and reference docs. However, the registry metadata declares no required environment variables or primary credential, while SKILL.md clearly states AccessKey/Secret/Region (ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID) and a credentials file as priority sources. That metadata omission is inconsistent and reduces trust in the package manifest.
Instruction Scope
SKILL.md stays within the expected operational scope (querying/creating/stopping instances, modifying auth/storage/RAG/SSL/IP whitelist, etc.). It instructs the agent to prefer environment variables and to fall back to ~/.alibabacloud/credentials, run a minimal read-only query first, and save evidence under an output directory. Notable issues: the SKILL.md uses two different output paths (output/database-rds-supabase/ vs output/aliyun-rds-supabase/) which is an internal inconsistency, and agents/openai.yaml default_prompt references a slightly different skill name variable ($alicloud-database-rds-supabase). These are likely sloppy but should be corrected.
Install Mechanism
Instruction-only skill with no install spec and no bundled executables or downloads. This is low-risk from an installation perspective — nothing is written or fetched by an automated installer.
!
Credentials
The instructions legitimately require sensitive credentials (ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and optional ALICLOUD_REGION_ID) and may read ~/.alibabacloud/credentials. Those requests are proportionate to the stated purpose, but the skill metadata does not declare them as required environment variables or a primary credential. Because the skill could also modify storage config (which may include external S3 keys) and reset passwords, operators should ensure they only supply least-privilege credentials and understand that the skill may read the local credentials file.
Persistence & Privilege
The skill does not request always:true, does not install persistent components, and does not declare system-wide configuration modifications. Normal autonomous invocation is allowed (disable-model-invocation is false), which is standard; no elevated persistence was requested.
Scan Findings in Context
[no-regex-findings] expected: The repository is instruction-only and the regex-based scanner had no code files to analyze. Absence of findings is expected but not evidence of safety.
What to consider before installing
This skill appears to implement the advertised Alibaba Cloud RDS Supabase management operations, but the package metadata does not declare the sensitive environment variables and credential file that the runtime instructions require. Before installing or invoking it: (1) ask the publisher to correct the manifest to explicitly declare required env vars (ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID) and the use of ~/.alibabacloud/credentials; (2) only provide least-privilege AccessKey/Secret that are scoped to the needed RDS actions; (3) verify which output path the skill will write evidence to and confirm it won't exfiltrate results to external endpoints (the SKILL.md shows only local output directories and official Alibaba Cloud API endpoints); (4) test in a non-production account or with a tightly scoped test role first. The lack of code files reduces installer risk, but metadata inconsistencies and credential access make this suspicious until clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk970bs8n6h5mdjqd19bnfegyqd840fhc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: service

Alibaba Cloud RDS Supabase (RDS AI Service 2025-05-07)

Manage RDS Supabase app instances and related configurations via RDS AI Service OpenAPI, including lifecycle, auth, storage, RAG, IP whitelist, and SSL.

Prerequisites

  • Use least-privilege RAM user/role AccessKey and prefer environment variables for AK/SK.
  • OpenAPI uses RPC signing; prefer official SDKs or OpenAPI Explorer.

Workflow

  1. Confirm resource type: instance / auth / storage / RAG / security configuration.
  2. Locate operations in references/api_overview.md.
  3. Choose invocation method (SDK / OpenAPI Explorer / custom signing).
  4. After changes, verify state and configuration with query APIs.

AccessKey Priority (Required)

  1. Environment variables (preferred):ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID Region policy: ALICLOUD_REGION_ID is optional default; if unset choose the most reasonable region and ask when unclear.
  2. Standard credentials file:~/.alibabacloud/credentials

Default Region Strategy

  • If region is not specified, choose the most reasonable region; ask the user when unclear.
  • Only run all-region queries when explicitly needed or user-approved (call ListRegions first, then query each region).
  • If user provides region, query only that region.

Common Operation Map

  • Instance:CreateAppInstance / DeleteAppInstance / StartInstance / StopInstance / RestartInstance
  • Connectivity and auth:DescribeInstanceEndpoints / DescribeInstanceAuthInfo / ModifyInstanceAuthConfig
  • Storage:DescribeInstanceStorageConfig / ModifyInstanceStorageConfig
  • Security:ModifyInstanceIpWhitelist / DescribeInstanceIpWhitelist / ModifyInstanceSSL / DescribeInstanceSSL
  • RAG:ModifyInstanceRAGConfig / DescribeInstanceRAGConfig

Clarifying questions (ask when uncertain)

  1. What is the target instance ID and region?
  2. Is this instance lifecycle management or configuration changes (auth/storage/RAG/IP whitelist/SSL)?
  3. Do you need batch operations or an initial state query first?

Output Policy

If you need to save results or responses, write to: output/database-rds-supabase/

Validation

mkdir -p output/aliyun-rds-supabase
echo "validation_placeholder" > output/aliyun-rds-supabase/validate.txt

Pass criteria: command exits 0 and output/aliyun-rds-supabase/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/aliyun-rds-supabase/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

Workflow

  1. Confirm user intent, region, identifiers, and whether the operation is read-only or mutating.
  2. Run one minimal read-only query first to verify connectivity and permissions.
  3. Execute the target operation with explicit parameters and bounded scope.
  4. Verify results and save output/evidence files.

References

  • API overview and operation groups:references/api_overview.md
  • Core API parameter quick reference:references/api_reference.md
  • All-region query examples:references/query-examples.md
  • Official source list:references/sources.md

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…