alibabacloud-rds-copilot 安全扫描报告 — 可信 | ClawSafe

5 /100

alibabacloud-rds-copilot

Alibaba Cloud RDS Copilot intelligent operations assistant skill for RDS-related Q&A, SQL optimization, instance operations, and troubleshooting

Pure documentation skill with no executable code; provides legitimate Alibaba Cloud RDS Copilot integration instructions with proper credential handling guidance.

技能名称alibabacloud-rds-copilot

分析耗时28.9s

引擎pi

✓

可以安装

No action required. Skill is a documentation-only wrapper for Alibaba Cloud CLI. The remote script URLs point to official Alibaba Cloud CDN domains.

安全发现 3 项

严重性	安全发现	位置
提示	Remote script execution in documentation SKILL.md includes curl\|bash pattern for CLI installation. The URLs point to official Alibaba Cloud CDN (aliyuncli.alicdn.com) which is standard vendor practice. `/bin/bash -c "$(curl -fsSL https://aliyuncli.alicdn.com/install.sh)"` → Acceptable - official Alibaba Cloud CLI installation from vendor CDN. Users should verify URLs before executing.	`SKILL.md:41`
提示	Credential configuration guidance is security-conscious acceptance-criteria.md explicitly marks hardcoded credentials as INCORRECT and recommends interactive configuration via aliyun configure. `export ALIBABA_CLOUD_ACCESS_KEY_ID=... # Do not set explicitly` → Good security practice demonstrated in documentation.	`references/acceptance-criteria.md:1`
提示	Read-only operations explicitly documented SKILL.md cleanup section states 'This skill only performs read-only query operations, does not create any cloud resources'. `This skill only performs read-only query operations, does not create any cloud resources, no cleanup required.` → Alignment between documentation and stated behavior.	`SKILL.md:160`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No file operations in documentation
网络访问	`NONE`	`READ`	✓ 一致	Uses Alibaba Cloud CLI to call rdsai.aliyuncs.com - declared in SKILL.md
命令执行	`NONE`	`WRITE`	✓ 一致	CLI installation via documented script; API calls are read-only per SKILL.md cle…
环境变量	`NONE`	`NONE`	—	No environment variable manipulation; credentials via aliyun configure
数据库	`READ`	`READ`	✓ 一致	rdsai:ChatMessages API for read-only queries

7 项发现

🔗

中危外部 URL 外部 URL

https://aliyuncli.alicdn.com/aliyun-cli-latest.pkg

SKILL.md:37

🔗

中危外部 URL 外部 URL

https://aliyuncli.alicdn.com/install.sh

SKILL.md:41

🔗

中危外部 URL 外部 URL

https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz

SKILL.md:51

🔗

中危外部 URL 外部 URL

https://help.aliyun.com/zh/cli/

SKILL.md:264

🔗

中危外部 URL 外部 URL

https://help.aliyun.com/zh/cli/command-line-options

references/related-apis.md:150

🔗

中危外部 URL 外部 URL

https://help.aliyun.com/zh/cli/parameter-format-overview

references/related-apis.md:151

🔗

中危外部 URL 外部 URL

https://help.aliyun.com/zh/cli/configure-credentials

references/related-apis.md:152

目录结构

5 文件 · 26.1 KB · 846 行

Markdown 5f · 846L

├─ ▾ 📁 references

│ ├─ 📝 acceptance-criteria.md Markdown 154L · 3.8 KB

│ ├─ 📝 ram-policies.md Markdown 82L · 2.1 KB

│ ├─ 📝 related-apis.md Markdown 152L · 5.2 KB

│ └─ 📝 verification-method.md Markdown 190L · 5.3 KB

└─ 📝 SKILL.md Markdown 268L · 9.7 KB

安全亮点

✓ Pure documentation skill with no executable code files

✓ Credentials handled via aliyun configure (credential chain), not hardcoded

✓ RAM permissions clearly documented with least-privilege principle

✓ Explicitly states read-only operations only

✓ Uses official Alibaba Cloud API endpoint (rdsai.aliyuncs.com)

✓ Documentation is comprehensive with verification methods

✓ Acceptance criteria explicitly marks insecure patterns as incorrect