aliyun-cli-manage

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes an explicit insecure example that passes access key and secret as command-line arguments (aliyun configure set --access-key-id --access-key-secret ) and instructs saving command/request parameters, which would require the LLM to handle/output secret values verbatim unless environment-variable usage is strictly enforced—creating an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The runtime installer script (scripts/ensure_aliyun_cli.py) downloads and installs a remote binary from https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz and then runs that binary, so this URL provides code that is fetched and executed at runtime and is required for the skill.