alibabacloud-chatapp-message-send
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads the aliyun CLI setup script from 'https://aliyuncli.alicdn.com/setup.sh' and binary packages from the same domain. This is an official Alibaba Cloud domain used for distributing their command-line tools.
- [COMMAND_EXECUTION]: The Python scripts (list_templates.py, get_template_detail.py, send_chatapp_message.py) use 'subprocess.run' to invoke the aliyun CLI. The arguments are constructed using a list of strings and use the 'aliyun' command directly, which is the intended purpose of the skill to interface with the cloud service.
- [REMOTE_CODE_EXECUTION]: The SKILL.md file contains instructions to pipe the aliyun CLI setup script from 'https://aliyuncli.alicdn.com/setup.sh' to bash. While this is a remote code execution pattern, it is sourced from a well-known service (Alibaba Cloud) for the purpose of tool installation/update, aligning with standard developer practices for this ecosystem.
- [SAFE_PRACTICES]: The skill explicitly instructs users NOT to hardcode or print AccessKeys and refers them to secure configuration methods (aliyun configure) outside the agent session.
Audit Metadata