by 安全扫描
OpenClaw
可疑
high confidenceThe skill's instructions and bundled scripts require Alibaba Cloud credentials and broad SysOM/ECS permissions but the registry metadata does not declare those requirements — this mismatch and the runtime behavior (creating venv, installing SDK, reading ~/.aliyun/config.json, immediately creating alert destinations from a user-provided webhook) are concerning and should be reviewed before use.
评估建议
Key things to consider before installing/using this skill:
- Metadata mismatch: The skill metadata does not declare any required credentials, but SKILL.md and the included scripts require Alibaba Cloud credentials (AK/SK, STS, or CLI profile) and many SysOM/ECS RAM permissions. Treat this as a transparency issue — assume you must provide cloud credentials to operate the skill.
- Privileged operations: Enrolling instances and creating alert strategies/destinations require high privileges (insta...详细分析 ▾
⚠ 用途与能力
The skill's stated purpose (SysOM deep OS diagnosis, enrollment, DingTalk alerts) legitimately needs Alibaba Cloud credentials and SysOM/ECS permissions. However, the registry metadata declares no required env vars or primary credential, which is inconsistent. The included scripts and SKILL.md clearly rely on ALIBABA_CLOUD_ACCESS_KEY_ID / ALIBABA_CLOUD_ACCESS_KEY_SECRET (or ~/.aliyun/config.json) and require many SysOM/ECS RAM permissions for enrollment and alert configuration.
ℹ 指令范围
SKILL.md's runtime instructions are detailed and generally constrained to the declared purpose (check Cloud Assistant, invoke diagnosis, poll results, enroll agents, create alert destinations). However, the flow enforces verbatim prompts (Step 10A/10B/13a) and mandates immediate execution of scripts using a user-provided DingTalk webhook (no intermediate confirmation), which escalates the effect of a user reply. The instructions also forbid alternative diagnosis suggestions while polling (unusual but not directly malicious). The skill reads local CLI config (~/.aliyun/config.json) and environment variables — actions that are not declared in the registry metadata.
ℹ 安装机制
There is no registry install spec (instruction-only). The bundle includes scripts (setup-sdk.sh) that will create a Python virtualenv and install the SysOM SDK (likely via pip). That is a moderate supply-chain risk (pulling packages from PyPI) and writes files (virtualenv) to disk. No arbitrary remote archive downloads or obscure URLs were observed in the provided files, but you should inspect setup-sdk.sh before running.
⚠ 凭证需求
The skill uses and asks the user to configure Alibaba Cloud credentials (AK/SK, STS, or CLI profile) and requires elevated SysOM/ECS permissions (invoke diagnosis, install agents, create alert destinations/strategies). Those privileges are proportionate to enrollment and alert configuration, but the registry omits declaring required credentials/primaryEnv and does not surface the high privilege level to the user — this lack of transparency is a red flag. The scripts will read environment variables and ~/.aliyun/config.json, which could access multiple profiles and secrets stored locally.
✓ 持久化与权限
always:false (no forced persistent inclusion). The skill does not request to modify other skills or global agent settings. It will create a local virtual environment for SDK usage and write files, which is normal for running SDK scripts. No evidence it attempts system-wide privilege escalation or persistent background processes.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.0.12026/4/20
alibabacloud-aes-sysom-os-diagnosis 0.0.1 — Initial Release - Introduces deep OS-level diagnosis workflows for Alibaba Cloud ECS, including CPU, memory, and IO troubleshooting. - Enables secure, user-guided ECS instance diagnosis with parameter confirmation and credential security checks. - Supports both real-time and historical analysis with customizable diagnosis parameters. - Allows continuous diagnosis setup, instance enrollment, and DingTalk alert integration. - Enforces strict permission and credential handling based on Alibaba Cloud best practices.
● 无害
安装命令
点击复制官方npx clawhub@latest install alibabacloud-aes-sysom-os-diagnosis
镜像加速npx clawhub@latest install alibabacloud-aes-sysom-os-diagnosis --registry https://cn.longxiaskill.com