Pywayne Aliyun Oss
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If broad OSS credentials are used, the agent could perform write, delete, copy, or move actions within the permitted bucket scope.
The skill documents use of Aliyun OSS API credentials for authenticated operations; this is expected for the purpose, but those credentials can authorize cloud-storage changes.
api_key="your_api_key",
api_secret="your_api_secret"Use least-privilege OSS credentials limited to the intended bucket and operations, and confirm destructive actions before running them.
A mistaken or overly broad prefix could remove many files from an OSS bucket.
The skill includes a bulk delete-by-prefix operation. This is aligned with OSS file management, but a wrong prefix could delete multiple objects.
oss.delete_files_with_prefix(prefix="temp/")
Ask the agent to list matching keys first and require explicit confirmation before bulk delete or move operations.
Users may need to install or trust an external package not reviewed in these artifacts.
The skill relies on an external Python module, while the provided artifact set has no code files or install specification and the registry lists no source homepage. This is a provenance/completeness gap, not evidence of hidden behavior.
from pywayne.aliyun_oss import OssManager
Verify the Python package source and version before installing or using it with OSS credentials.