ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SLS + ARMS 全链路问题排查

v1.0.0

查询阿里云SLS日志和ARMS调用链,结合源码和数据库进行全链路问题排查。 完整流程:查日志 → 画调用链 → 定位源码 → 排查数据库 → 给出修复方案。 Use when: 用户说「分析sls」「分析问题」或想排查业务服务/线上接口/用户请求的报错或异常。 触发示例:「分析sls」「帮我查一下这个trace_...

0· 74·0 current·0 all-time
byZhichao Lee@ccrazyfish
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (SLS + ARMS trace analysis) matches the included Python script and README. However the declared required env vars in metadata (ALIBABA_CLOUD_ACCESS_KEY_ID / ALIBABA_CLOUD_ACCESS_KEY_SECRET) do not match the credentials the script actually expects (SLS_ACCESS_KEY_ID, SLS_ACCESS_KEY_SECRET, ARMS_ACCESS_KEY_ID, ARMS_ACCESS_KEY_SECRET, ARMS_REGION_ID, SLS_PROJECT, SLS_LOGSTORE). The script also uses ~/.openclaw/openclaw.json as a fallback source for envs, which expands the set of credentials/config it will read beyond what the skill metadata declares.
!
Instruction Scope
SKILL.md forces the agent to run a local Python script from the skill workspace and mandates exact, non-editable output templates (a strong prompt-injection pattern). It also requires automatic execution of codebase searches and database '排查' (investigation). Those steps can access arbitrary local repo files and potentially sensitive DB info. The instructions forbid other local searches while simultaneously demanding automatic code/DB searches — an internal inconsistency that increases risk.
Install Mechanism
This is instruction-only with a bundled Python script and requirements.txt (no remote downloads or post-install hooks). No install spec is provided. The risk comes from executing the included script rather than from an install mechanism.
!
Credentials
Metadata requests only generic Alibaba AK/SK, but the script requires multiple service-specific env vars (SLS_* and ARMS_* plus project/logstore names). More importantly, the script will read ~/.openclaw/openclaw.json to obtain env values as a fallback — meaning it can access other credentials/config stored there (cross-skill/global config). The skill promises automated DB checks but declares no DB credentials — it may attempt to discover DB connection info from openclaw.json or local files, which is disproportionate to the simple 'provide one API key' expectation.
!
Persistence & Privilege
The skill is not marked always:true and doesn't install persistently, which is good. However the script reads the user's OpenClaw config (~/.openclaw/openclaw.json) to obtain environment variables; that grants it access to potentially unrelated secrets belonging to other skills or the user. That cross-config access is a privilege beyond its stated scope.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md contains strict, exact-output templates and a detected unicode-control-chars pattern. This looks like a prompt-injection attempt to coerce the agent's responses (requiring verbatim output), which is not a legitimate part of a log/tracing helper.
What to consider before installing
What to consider before installing: - Credential mismatch: The skill metadata asks for ALIBABA_CLOUD_ACCESS_KEY_ID/SECRET, but the script expects many SLS_* and ARMS_* env vars (SLS_PROJECT, SLS_LOGSTORE, ARMS_REGION_ID, etc.). Confirm which exact credentials are required. Do not assume the metadata is authoritative. - OpenClaw config access: The script will try to read ~/.openclaw/openclaw.json for env values. That file can contain other secrets (other skills' tokens, DB URLs). If you install/run this, it can access those values. Avoid putting production secrets in openclaw.json or remove/inspect those entries first. - Inspect the code yourself: Review scripts/query_trace.py fully (network calls, any hard-coded endpoints, where it sends collected logs, whether it writes files). Run it in a controlled environment before giving it real credentials. - Least privilege for credentials: If you must provide credentials, create dedicated AK/SK with the minimal permissions (read-only to the specific SLS project/logstores and ARMS read access) scoped to a non-production account if possible. - Database access: The skill promises automatic DB '排查' but declares no DB credentials. Determine how it will access databases (does it extract connection strings from openclaw.json or local files?). Do not allow it to use broad DB credentials. Prefer manual DB checks or provide read-only, limited-access test DB. - Prompt-injection behavior: SKILL.md enforces exact output templates and forbids normal agent behavior; this is an attempt to constrain or coerce the agent. That is suspicious—consider disabling autonomous invocation or avoid installing if you cannot audit/modify the skill. - Test in isolation: Before using on production traces, run the script in an isolated/VM environment with synthetic data and monitor network traffic and file system access. If you are not prepared to audit the script and control where credentials come from, treat this skill as high-risk and do not install it in environments containing sensitive production secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk97283qyfqy257g2je4602wj9183gewm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binspython
EnvALIBABA_CLOUD_ACCESS_KEY_ID, ALIBABA_CLOUD_ACCESS_KEY_SECRET

Comments