aliyun-image

The skill provides legitimate functionality for interacting with Alibaba Cloud's image services. However, the `scripts/client.py` file contains two significant vulnerabilities: 1) The `edit` function allows reading arbitrary local files (e.g., `/etc/passwd`) if a user-controlled path is provided, base64-encoding their content, and sending them to the Aliyun API, posing a Local File Inclusion (LFI) risk. 2) The `download` function allows writing downloaded content to arbitrary file paths, potentially enabling path traversal and arbitrary file write. These are critical vulnerabilities due to a lack of input sanitization, but do not show clear evidence of intentional malicious behavior by the skill author.