alibabacloud-waf-config-backup
Pass
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides instructions to download and install the Alibaba Cloud CLI using a shell script hosted on an official vendor domain (https://aliyuncli.alicdn.com/setup.sh). This is a standard procedure for setting up the required environment for this vendor's tools.
- [COMMAND_EXECUTION]: The bundled Python script 'scripts/export_waf_config_backup.py' uses 'subprocess.run' with 'shell=True' to invoke the 'aliyun' CLI. This is used exclusively to fetch configuration data from the user's Alibaba Cloud account via documented API endpoints.
- [REMOTE_CODE_EXECUTION]: The installation guide for the Alibaba Cloud CLI involves piping a remote setup script directly into bash. While this pattern is generally high-risk, in this context, the source is an official vendor CDN associated with the skill's author ('aliyun').
- [SAFE]: The skill adheres to security best practices regarding credential management, explicitly instructing the agent never to print, echo, or ask for AccessKey/SecretKey values, and instead relying on the existing CLI configuration.
Audit Metadata