The Agent Skills Directory

[SAFE]: The skill utilizes the official alibabacloud-credentials SDK to implement the standard Alibaba Cloud credential chain. This approach ensures that the agent handles authentication securely via environment variables or CLI profiles, avoiding hardcoded AccessKey or SecretKey values. Documentation explicitly warns against printing or hardcoding secrets.
[SAFE]: Robust input validation is implemented across the script suite. mps_audit.py and mps_transcode.py include URL validation with SSRF protection that checks for private, loopback, and reserved IP addresses. Multiple scripts (e.g., oss_upload.py, oss_download.py, oss_delete.py) incorporate validation logic to prevent path traversal attacks by checking for '..' sequences and double slashes in OSS keys and local file paths.
[COMMAND_EXECUTION]: The orchestration scripts video_workflow.py and health_check.py use subprocess.run() to call other Python scripts within the same skill package and the official Aliyun CLI. These calls are performed using list-based arguments without shell=True, significantly reducing the risk of command injection.
[EXTERNAL_DOWNLOADS]: The documentation and installation guides reference official Alibaba Cloud download mirrors (aliyuncli.alicdn.com) and public registries for its dependencies. These are well-known, trusted sources associated with the skill's primary vendor, aliyun.
[SAFE]: load_env.py provides a centralized mechanism for loading service-specific environment variables from standard user configuration files (e.g., .env, .bashrc). It follows the principle of least privilege by explicitly avoiding system-level configuration files and limiting its scan to variables necessary for MPS and OSS operations.

alibabacloud-video-forge