Pywayne Aliyun Oss
v0.1.0Manage Aliyun OSS buckets in Python with upload, download, list, read, delete, copy, and move operations supporting authenticated and anonymous access.
⭐ 0· 547·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The described purpose (manage Aliyun OSS with authenticated write and anonymous read) is coherent with the API shown in SKILL.md (endpoint, bucket, api_key/api_secret). However the skill bundle contains no code or install spec for the 'pywayne.aliyun_oss' package it instructs you to import, and the registry metadata lists no required credentials even though write operations require API keys. This mismatch is unexpected.
Instruction Scope
The runtime instructions are narrowly scoped to OSS operations (upload/download/list/delete/copy/move) and reference only OSS endpoints and local file paths. They do not direct reading unrelated system files or sending data to services outside OSS. However the instructions assume availability of a Python package and optional libraries like cv2 (for images) without telling how to install them; they also show passing api_key/api_secret but give no guidance on secure credential storage or environment variables.
Install Mechanism
There is no install specification and no code files. SKILL.md expects import of 'pywayne.aliyun_oss', but nothing in the skill provides that module or explains how to obtain it (no pip name, no repository, no instructions). That leaves it unclear whether the agent will attempt to fetch arbitrary third-party code at runtime — an installation step that should be explicit.
Credentials
The package metadata declares no required environment variables or primary credential, yet SKILL.md explicitly uses api_key and api_secret for write operations. This mismatch means credentials may be requested ad-hoc at runtime or passed in chat, increasing the risk of accidental secret disclosure. The skill does not request unrelated credentials, but its credential handling is under-specified.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide configuration or cross-skill modifications. It is user-invocable and allows autonomous invocation by default (platform standard), which is expected.
Scan Findings in Context
[NO_CODE_FILES] unexpected: The static scan found no code files to analyze. For an instruction-only skill that documents how to use an existing external Python package this can be okay — but SKILL.md implies the presence of a 'pywayne.aliyun_oss' module while the bundle provides none and gives no install instructions, preventing verification.
What to consider before installing
This skill documents a Python API for Aliyun OSS but contains no code or install instructions and doesn't declare the API credentials it expects. Before installing or using it: 1) ask the publisher for the package source (PyPI name or GitHub repo) and an explicit install command you can review; 2) do not paste your api_key/api_secret into chat — prefer providing credentials via secure environment variables or a secrets manager; 3) verify the package's provenance and review its code (or use the official aliyun OSS SDK) before allowing the agent to pip-install anything; 4) if you need image uploads, confirm dependencies like opencv-python (cv2) are safe to install. These steps will reduce the chance of the agent fetching or running unexpected third-party code.Like a lobster shell, security has layers — review code before you run it.
latestvk97fg4jsgb0p2ge68pesdb8d75815gx8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.