alibabacloud-agent-toolkit-install
Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads installation scripts and binaries from external sources. These include 'uv' from astral.sh (a well-known service for Python developer tooling) and the Alibaba Cloud CLI from aliyuncli.alicdn.com (the official vendor domain).
- [REMOTE_CODE_EXECUTION]: The skill uses pipe-to-shell patterns and npx to install software. This includes executing the 'uv' installer script from astral.sh and the Alibaba Cloud CLI installer via bash. Additionally, it uses 'npx openplugin' to fetch and install the agent toolkit from the openplugin registry. These actions are standard for the tool's installation process and the skill instructions explicitly mandate waiting for user confirmation before execution.
- [COMMAND_EXECUTION]: The skill executes several local commands to check environment status, manage CLI plugins, and generate access tokens using the Alibaba Cloud CLI ('aliyun'). It uses a session-specific UUID for user-agent tracking and performs cloud-side resource creation ('create-api-mcp-server-core') after obtaining user consent.
Audit Metadata