alibabacloud-sas-openclaw-security

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill calls the AISC API endpoint (aisc.cn-shanghai.aliyuncs.com) via the aliyun CLI to retrieve an InstallKey that is actually a shell installation command, and then sends/executes that fetched command on ECS instances via Cloud Assistant — remote content fetched at runtime directly controls code execution.