alibabacloud-chatapp-message-send

Pass

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill downloads the aliyun CLI setup script from 'https://aliyuncli.alicdn.com/setup.sh' and binary packages from the same domain. This is an official Alibaba Cloud domain used for distributing their command-line tools.
  • [COMMAND_EXECUTION]: The Python scripts (list_templates.py, get_template_detail.py, send_chatapp_message.py) use 'subprocess.run' to invoke the aliyun CLI. The arguments are constructed using a list of strings and use the 'aliyun' command directly, which is the intended purpose of the skill to interface with the cloud service.
  • [REMOTE_CODE_EXECUTION]: The SKILL.md file contains instructions to pipe the aliyun CLI setup script from 'https://aliyuncli.alicdn.com/setup.sh' to bash. While this is a remote code execution pattern, it is sourced from a well-known service (Alibaba Cloud) for the purpose of tool installation/update, aligning with standard developer practices for this ecosystem.
  • [SAFE_PRACTICES]: The skill explicitly instructs users NOT to hardcode or print AccessKeys and refers them to secure configuration methods (aliyun configure) outside the agent session.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 14, 2026, 03:27 PM
Security Audit — agent-trust-hub — alibabacloud-chatapp-message-send