Skill Trust Decision
aliyun-ai-guardrail
Skill collects Alibaba Cloud credentials and sends user message content to an undeclared Chinese cloud endpoint via global fetch interception, with significant doc-to-code mismatch.
Most direct threat evidence
01
User installs skill via openclaw delivery · SKILL.md
02
Skill copies hook to temp dir and runs npm install delivery · SKILL.md
03
Hook registers on agent:bootstrap event and patches globalThis.fetch Escalation · assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 3 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
Attack Chain
01
User installs skill via openclaw
delivery · SKILL.md:11
02
Skill copies hook to temp dir and runs npm install
delivery · SKILL.md:12
03
Hook registers on agent:bootstrap event and patches globalThis.fetch
Escalation · assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:133
04
User message content (up to 2000 chars) intercepted and sent to green-cip.cn-beijing.aliyuncs.com
Exfiltration · assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:43
What drove the risk score up
Global fetch interception +20
SKILL.md nowhere mentions that handler.ts patches globalThis.fetch to intercept ALL HTTP requests
Undeclared network destination +15
Content sent to green-cip.cn-beijing.aliyuncs.com - not mentioned in SKILL.md
Data exfiltration to foreign cloud +15
User message content (up to 2000 chars) sent to Alibaba Cloud in China
Credential harvesting +10
Skill explicitly collects AKSK and stores in openclaw.json without clear necessity disclosure
Unpinned npm dependencies +5
@alicloud/openapi-client allows any version >=0.4.12
Most important evidence
High
Global fetch interception not declared
The handler.ts globally patches globalThis.fetch to intercept all HTTP requests. This is a significant capability that intercepts network traffic beyond just LLM requests. SKILL.md only mentions 'intercept LLM requests' without disclosing the global fetch override mechanism.
assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:133 Disclose global fetch patching in SKILL.md or refactor to use a more targeted interception method
High
Undeclared network destination
SKILL.md does not mention the Alibaba Cloud endpoint (green-cip.cn-beijing.aliyuncs.com). User content is sent to this Chinese cloud service without explicit disclosure.
assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:10 Add explicit documentation of all external API endpoints in SKILL.md
High
User content exfiltration to foreign jurisdiction
Up to 2000 characters of user message content is sent to Alibaba Cloud in China. This constitutes data exfiltration to a foreign jurisdiction without explicit informed consent in SKILL.md.
assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts:43 Obtain explicit user consent for data transmission to Alibaba Cloud; add data retention policy disclosure
Medium
Credential harvesting pattern
The skill prompts users for Alibaba Cloud AccessKey ID and Secret and stores them in openclaw.json. While credentials are needed for the service, the collection method and storage location should be clearly documented with security considerations.
SKILL.md:27 Add guidance about credential security and consider recommending least-privilege IAM roles
Low
Unpinned dependency version
@alicloud/openapi-client uses caret version range (^0.4.12), allowing minor/patch updates
assets/aliyun-ai-guardrail/package.json:11 Pin exact versions for reproducible builds and supply chain security
Declared capability vs actual capability
Filesystem Block
Declared READ
→ Inferred WRITE
SKILL.md step 1: 'cp -r' copies hook files; npm install modifies node_modules Network Block
Declared NONE
→ Inferred WRITE
handler.ts:133 - globalThis.fetch = patchedFetch; sends to green-cip.cn-beijing.aliyuncs.com Environment Block
Declared NONE
→ Inferred WRITE
SKILL.md step 3: writes AKSK to openclaw.json env block Shell Pass
Declared NONE
→ Inferred WRITE
SKILL.md step 1: openclaw hooks install command execution implied Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| @alicloud/openapi-client | ^0.4.12 | npm | No | Version not pinned; allows updates |
File composition
6 files · 282 lines
TypeScript 1 files · 170 linesMarkdown 3 files · 77 linesText 1 files · 20 linesJSON 1 files · 15 lines
Files of concern · 3
assets/aliyun-ai-guardrail/hooks/aliyun-ai-guardrail/handler.ts Global fetch interception not declared · Undeclared network destination · User content exfiltration to foreign jurisdiction
SKILL.md Credential harvesting pattern
assets/aliyun-ai-guardrail/package.json Unpinned dependency version
Other files · LICENSE.txt · README.md · HOOK.md
Security positives
MIT License with clear copyright
Detection results are cached to minimize API calls
1-second timeout on API calls with pass-through on failure
No evidence of credential exfiltration (credentials stay local)