ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Sas Manage

v1.0.0

Use when managing Alibaba Cloud Security Center (Sas) via OpenAPI/SDK, including the user needs Security Center resource operations, configuration updates, s...

0· 79·0 current·0 all-time
by@cinience

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cinience/aliyun-sas-manage.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Aliyun Sas Manage" (cinience/aliyun-sas-manage) from ClawHub.
Skill page: https://clawhub.ai/cinience/aliyun-sas-manage
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install aliyun-sas-manage

ClawHub CLI

Package manager switcher

npx clawhub@latest install aliyun-sas-manage
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the included script and instructions: this is a tool for discovering and calling Alibaba Cloud Security Center (Sas) OpenAPI. Requiring Alibaba Cloud credentials is expected for the purpose. However the registry metadata lists no required environment variables or primary credential while SKILL.md explicitly expects ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and optionally ALICLOUD_REGION_ID (or ~/.alibabacloud/credentials), which is an inconsistency between claimed requirements and actual instructions.
!
Instruction Scope
SKILL.md instructs the agent to use SDK/OpenAPI with cloud credentials, run the included script that fetches metadata from api.aliyun.com, and save artifacts and 'key parameters' (region/resource id/time range) to output/. Saving these parameters may persist sensitive identifiers. The instructions also give the agent discretion to pick a region if environment variables are unset, which is vague and broad. The instructions do not ask for unrelated system files, and the script itself only fetches public OpenAPI metadata, but the overall guidance to include credential-sourced operations and evidence files increases risk if credentials or sensitive identifiers are mishandled.
Install Mechanism
Instruction-only skill with a small Python script; no install spec, no downloads, no archive extraction. The included script uses urllib to GET official api.aliyun.com metadata — this is low install risk.
!
Credentials
SKILL.md requires Alibaba Cloud access keys (env vars or shared credentials file) which are proportional to managing SAS. But the registry metadata did not declare these required env vars or a primary credential, creating a transparency gap. The instructions also request writing 'key parameters' to disk (which may include resource IDs or time ranges) — users should be careful about where evidence is stored and who can access those files. Overall the credentials requested are appropriate for the task, but their omission from declared requirements is a red flag.
Persistence & Privilege
always:false and no install script that modifies other skills or global agent settings. The skill does write output under its own output/aliyun-sas-manage/ directory (normal). It does not request permanent platform-wide privileges.
What to consider before installing
This skill appears to be a legitimate Alibaba Cloud Security Center helper, but the package metadata fails to declare that it needs your ALICLOUD_ACCESS_KEY_ID and ALICLOUD_ACCESS_KEY_SECRET (or ~/.alibabacloud/credentials). Before installing: 1) confirm the publisher/source and ask them to update the registry to list required env vars; 2) use least-privilege or temporary Alibaba Cloud credentials (do not use root keys); 3) run the skill in an isolated environment or container if possible; 4) review output/aliyun-sas-manage/ after runs and avoid writing long-lived secrets or full credential files into that directory; 5) if you need to allow autonomous agent invocation, be aware the agent could perform API calls using provided credentials — only grant permissions required for the specific operations.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cvk3zq2jxymh6zb36ysvyw1842e9v
79downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@cinience
latest
Download

Category: service

Security Center

Use Alibaba Cloud OpenAPI (RPC) with official SDKs or OpenAPI Explorer to manage resources for Security Center.

Workflow

  1. Confirm region, resource identifiers, and desired action.
  2. Discover API list and required parameters (see references).
  3. Call API with SDK or OpenAPI Explorer.
  4. Verify results with describe/list APIs.

AccessKey priority (must follow)

  1. Environment variables: ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET / ALICLOUD_REGION_ID Region policy: ALICLOUD_REGION_ID is an optional default. If unset, decide the most reasonable region for the task; if unclear, ask the user.
  2. Shared config file: ~/.alibabacloud/credentials

API discovery

  • Product code: Sas
  • Default API version: 2021-01-14
  • Use OpenAPI metadata endpoints to list APIs and get schemas (see references).

High-frequency operation patterns

  1. Inventory/list: prefer List* / Describe* APIs to get current resources.
  2. Change/configure: prefer Create* / Update* / Modify* / Set* APIs for mutations.
  3. Status/troubleshoot: prefer Get* / Query* / Describe*Status APIs for diagnosis.

Minimal executable quickstart

Use metadata-first discovery before calling business APIs:

python scripts/list_openapi_meta_apis.py

Optional overrides:

python scripts/list_openapi_meta_apis.py --product-code <ProductCode> --version <Version>

The script writes API inventory artifacts under the skill output directory.

Output policy

If you need to save responses or generated artifacts, write them under: output/aliyun-sas-manage/

Validation

mkdir -p output/aliyun-sas-manage
for f in skills/security/host/aliyun-sas-manage/scripts/*.py; do
  python3 -m py_compile "$f"
done
echo "py_compile_ok" > output/aliyun-sas-manage/validate.txt

Pass criteria: command exits 0 and output/aliyun-sas-manage/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/aliyun-sas-manage/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Prerequisites

  • Configure least-privilege Alibaba Cloud credentials before execution.
  • Prefer environment variables: ALICLOUD_ACCESS_KEY_ID, ALICLOUD_ACCESS_KEY_SECRET, optional ALICLOUD_REGION_ID.
  • If region is unclear, ask the user before running mutating operations.

References

  • Sources: references/sources.md

Comments

Loading comments...