by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's purpose (deploying WAF + ECS) matches the instructions, but there are mismatches and several operational instructions that raise risk (remote install script, enabling auto-plugin downloads, and modifying local CLI AI-mode/user-agent) that you should review before running.
评估建议
This skill is broadly coherent with its stated goal (it needs to create VPC/ECS/WAF resources and requires broad RAM permissions). However: 1) The registry metadata omits required binaries/credentials — manually verify you have the Aliyun CLI (>=3.3.3) and understand which authentication mode you will use. 2) Do NOT blindly run 'curl | bash' — prefer package manager installs or inspect the remote script first. 3) Be cautious enabling --auto-plugin-install and CLI AI-Mode; these settings allow th...详细分析 ▾
ℹ 用途与能力
The SKILL.md and reference docs consistently describe creating VPC/VSwitch/SecurityGroups/ECS and integrating WAF and list the exact CLI commands and RAM permissions required — that is coherent with the skill name/description. However the published registry metadata claims no required binaries or credentials while the instructions absolutely require the Aliyun CLI (aliyun) and cloud credentials; this metadata omission is an inconsistency to be aware of.
⚠ 指令范围
Runtime instructions tell the agent to run many privileged aliyun CLI operations (create network, instances, WAF resources) which is expected for the stated task, but also instruct the user/agent to run 'curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash' (remote script execution), to enable AI-Mode and set a specific --user-agent for every CLI call, and to enable automatic plugin installation. Those steps change local CLI behavior, may cause remote code/plugins to be downloaded automatically, and could leak identifiable telemetry via the forced user-agent. The skill does require user confirmation before creating resources, which mitigates but does not eliminate risk.
⚠ 安装机制
The skill is instruction-only (no install spec), but the docs explicitly recommend piping a remote setup script from alicdn (aliyuncli.alicdn.com) to bash and enabling automatic plugin installs. Even though alicdn is an official CDN, piping remote scripts and enabling auto-plugin-install are high-risk patterns because they cause arbitrary remote code to be written/executed on the host and permit future automatic downloads when the CLI runs.
ℹ 凭证需求
The skill declares no required env vars in registry metadata, yet the workflow depends on Alibaba Cloud credentials (OAuth or ECS RAM role) and the included RAM policy requires broad permissions (create VPC, run instances, create WAF, sync resources). The requested permissions are proportionate to provisioning resources, but the metadata's omission of the aliyn CLI requirement and credential expectations is inconsistent and could mislead less technical users. The docs do explicitly prohibit hard-coding AK/SK and prefer OAuth/RAM role.
ℹ 持久化与权限
The skill does not request permanent platform presence (always:false) and is user-invocable. However it instructs enabling CLI-level AI-Mode and changing CLI configuration (auto-plugin-install, user-agent) which persist in the user's environment until reverted — this elevates the host impact compared to a purely transient script and could lead to subsequent automatic plugin downloads and telemetry tagging of CLI requests.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install alibabacloud-waf-quick-showcase
镜像加速npx clawhub@latest install alibabacloud-waf-quick-showcase --registry https://cn.longxiaskill.com 镜像可用
本土化适配说明
Alibabacloud Waf Quick Showcase — 实用工具 安装说明: 安装命令:["openclaw skills install alibabacloud-waf-quick-showcase","npx clawhub@latest install alibabacloud-waf-quick-showcase"] 该技能用于淘宝相关操作,可能需要相应的平台账号或API密钥