alibabacloud-pds-intelligent-workspace
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches the official Alibaba Cloud CLI and its associated mount app plugin from vendor-controlled domains, specifically
aliyuncli.alicdn.comandalicdn.com. These are recognized as trusted resources belonging to the skill's author, Aliyun. - [REMOTE_CODE_EXECUTION]: The installation process involves executing a remote shell script from
aliyuncli.alicdn.comvia a pipe tobash. This is the official and standard method provided by Alibaba Cloud for deploying their command-line interface. - [COMMAND_EXECUTION]: The skill invokes the
aliyunCLI tool and several internal Python scripts (e.g.,pds_poll_processor.py,doc_analysis_formatter.py) to facilitate cloud operations. Technical review of the code shows that subprocess calls useshell=Falseto prevent command injection vulnerabilities. - [PERSISTENCE_MECHANISMS]: To support the persistent mounting of cloud drives, the skill configures background services using Windows Scheduled Tasks and macOS LaunchAgents (
com.aliyun.pds.mountapp.plist). This behavior is functionally necessary for the skill's stated purpose of providing local access to cloud storage. - [PRIVILEGE_ESCALATION]: Administrative privileges (via
sudoorRunAs) are requested for installing system-level dependencies such as the Alibaba Cloud CLI, Dokan drivers (Windows), and FUSE drivers (Linux/macOS), which are required for the drive mounting functionality. - [CREDENTIALS_SAFE]: Although the skill handles Alibaba Cloud Access Keys (AK/SK), it includes explicit safety guidelines that forbid the agent from printing, reading, or outputting plaintext credentials, adhering to security best practices for credential management.
Audit Metadata