ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alibabacloud Sdk Client Initialization For Java

v0.0.2-beta

Initialize and manage Alibaba Cloud SDK clients in Java. Covers singleton pattern, thread safety, endpoint vs region configuration, VPC endpoints, sync vs as...

0· 77·0 current·0 all-time
by@yndu13
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name and content are consistent with initializing Alibaba Cloud Java SDK clients. However, the example code calls System.getenv("ALIBABA_CLOUD_ACCESS_KEY_ID") and System.getenv("ALIBABA_CLOUD_ACCESS_KEY_SECRET") while the skill metadata declares no required environment variables or primary credential. Credentials are central to the skill's purpose and should be explicitly declared.
Instruction Scope
The SKILL.md contains runnable Java examples that read environment variables for credentials and set endpoints; these actions are within scope for a cloud SDK guide. It does not instruct the agent to read unrelated files, system config, or exfiltrate data. Still, the examples implicitly expect secrets in the environment which the metadata omits.
Install Mechanism
No install spec and no code files (instruction-only). This minimizes filesystem risk; nothing is fetched or executed by an installer.
!
Credentials
The SKILL.md uses sensitive environment variables (ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET) but the skill metadata does not list them under required env or primary credential. Requiring cloud credentials would be proportionate to the purpose, but the omission is an inconsistency that could hide expected secret access.
Persistence & Privilege
always is false and there are no install actions or configuration changes. The skill does not request persistent system privileges or to modify other skills.
What to consider before installing
This is primarily an examples/instructions-only skill for Alibaba Cloud Java SDK clients and appears functionally coherent, but note two issues before installing or using it: (1) the SKILL.md examples rely on ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET environment variables, yet the skill metadata does not declare any required credentials — ask the publisher to explicitly declare required env vars or update the metadata; (2) the source and homepage are unknown, which reduces trust — prefer skills with a verifiable author or repo. If you proceed, avoid exposing long-lived root keys: use least-privilege credentials, Alibaba RAM roles or STS temporary tokens where possible, don't paste secrets into chat, and confirm how the agent will obtain/use those environment variables. Request clarification from the author about credential handling and the intended deployment environment to raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk975cq8cy34mfz24586t2dk7nh83k4at

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments