alibabacloud-openclaw-skill-security-scan

Pass

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill orchestrates security scans by executing local shell scripts (main.sh, basic_udf.sh, skill_zip_packager.sh) and the openclaw CLI. These operations are necessary to perform file-system analysis and environmental audits as described in its purpose.
  • [DATA_EXFILTRATION]: As part of its 'Cloud Deep Analysis' feature, the skill packages target skill directories into ZIP files and uploads them to riskpunish.aliyuncs.com. While this involves transmitting local code to a remote server, it is a documented function of the scanner, and the destination is a legitimate security endpoint owned by the vendor (Aliyun).
  • [EXTERNAL_DOWNLOADS]: The skill interacts with Alibaba Cloud's security services at riskpunish.aliyuncs.com to query file reputation and perform deep scanning. These network operations are limited to official vendor domains and are essential for providing cloud-enhanced security intelligence.
  • [PROMPT_INJECTION]: The references/skillaudit.md file and scripts/main.sh contain various prompt injection strings and jailbreak patterns (e.g., 'ignore previous instructions', 'DAN'). These are present as reference benchmarks for the static analysis engine to detect risks in other skills and do not represent a threat within this skill itself.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 14, 2026, 03:28 PM
Security Audit — agent-trust-hub — alibabacloud-openclaw-skill-security-scan