中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
alibabacloud-rds-copilot
Alibaba Cloud RDS Copilot intelligent operations assistant skill for RDS-related Q&A, SQL optimization, instance operations, and troubleshooting
Pure documentation skill with no executable code; provides legitimate Alibaba Cloud RDS Copilot integration instructions with proper credential handling guidance.
Skill Namealibabacloud-rds-copilot
Duration28.9s
Enginepi
Safe to install
No action required. Skill is a documentation-only wrapper for Alibaba Cloud CLI. The remote script URLs point to official Alibaba Cloud CDN domains.

Findings 3 items

Severity Finding Location
Info
Remote script execution in documentation
SKILL.md includes curl|bash pattern for CLI installation. The URLs point to official Alibaba Cloud CDN (aliyuncli.alicdn.com) which is standard vendor practice.
/bin/bash -c "$(curl -fsSL https://aliyuncli.alicdn.com/install.sh)"
→ Acceptable - official Alibaba Cloud CLI installation from vendor CDN. Users should verify URLs before executing.
 SKILL.md:41
Info
Credential configuration guidance is security-conscious
acceptance-criteria.md explicitly marks hardcoded credentials as INCORRECT and recommends interactive configuration via aliyun configure.
export ALIBABA_CLOUD_ACCESS_KEY_ID=... # Do not set explicitly
→ Good security practice demonstrated in documentation.
 references/acceptance-criteria.md:1
Info
Read-only operations explicitly documented
SKILL.md cleanup section states 'This skill only performs read-only query operations, does not create any cloud resources'.
This skill only performs read-only query operations, does not create any cloud resources, no cleanup required.
→ Alignment between documentation and stated behavior.
 SKILL.md:160
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No file operations in documentation
Network NONE READ ✓ Aligned Uses Alibaba Cloud CLI to call rdsai.aliyuncs.com - declared in SKILL.md
Shell NONE WRITE ✓ Aligned CLI installation via documented script; API calls are read-only per SKILL.md cle…
Environment NONE NONE No environment variable manipulation; credentials via aliyun configure
Database READ READ ✓ Aligned rdsai:ChatMessages API for read-only queries
7 findings
🔗
Medium External URL 外部 URL
https://aliyuncli.alicdn.com/aliyun-cli-latest.pkg
SKILL.md:37
🔗
Medium External URL 外部 URL
https://aliyuncli.alicdn.com/install.sh
SKILL.md:41
🔗
Medium External URL 外部 URL
https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz
SKILL.md:51
🔗
Medium External URL 外部 URL
https://help.aliyun.com/zh/cli/
SKILL.md:264
🔗
Medium External URL 外部 URL
https://help.aliyun.com/zh/cli/command-line-options
references/related-apis.md:150
🔗
Medium External URL 外部 URL
https://help.aliyun.com/zh/cli/parameter-format-overview
references/related-apis.md:151
🔗
Medium External URL 外部 URL
https://help.aliyun.com/zh/cli/configure-credentials
references/related-apis.md:152

File Tree

5 files · 26.1 KB · 846 lines
Markdown 5f · 846L
├─ 📁 references
│ ├─ 📝 acceptance-criteria.md Markdown 154L · 3.8 KB
│ ├─ 📝 ram-policies.md Markdown 82L · 2.1 KB
│ ├─ 📝 related-apis.md Markdown 152L · 5.2 KB
│ └─ 📝 verification-method.md Markdown 190L · 5.3 KB
└─ 📝 SKILL.md Markdown 268L · 9.7 KB

Security Positives

✓ Pure documentation skill with no executable code files
✓ Credentials handled via aliyun configure (credential chain), not hardcoded
✓ RAM permissions clearly documented with least-privilege principle
✓ Explicitly states read-only operations only
✓ Uses official Alibaba Cloud API endpoint (rdsai.aliyuncs.com)
✓ Documentation is comprehensive with verification methods
✓ Acceptance criteria explicitly marks insecure patterns as incorrect