alicloud-skill-creator
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill interacts with the local system and the Claude CLI using Python's subprocess module to perform its core engineering tasks.
scripts/run_eval.pyandscripts/run_loop.pyexecute theclaudecommand-line interface to evaluate how effectively skill descriptions trigger the agent.eval-viewer/generate_review.pyexecutes thelsofutility to manage local network ports when starting the evaluation viewer server.- The workflow instructions in
SKILL.mdprompt the execution of repository-specific scripts such asscripts/update_skill_index.shandtests/common/compile_skill_scripts.py. - [EXTERNAL_DOWNLOADS]: The skill's HTML assets reference external resources from well-known technology providers to enhance the evaluation viewer's functionality.
assets/eval_review.htmlandeval-viewer/viewer.htmlload font styles from Google Fonts (fonts.googleapis.com).eval-viewer/viewer.htmlfetches the SheetJS library fromcdn.sheetjs.comto support the rendering of spreadsheet data within the viewer.- [REMOTE_CODE_EXECUTION]: The skill implements an automated optimization loop that relies on communication with an external AI service.
scripts/improve_description.pyuses the Anthropic Python SDK to send current skill metadata to a remote model, which then generates improved versions of the description.- [DATA_EXFILTRATION]: As part of its intended optimization workflow, the skill transmits internal file content to a remote API.
scripts/improve_description.pysends the full text ofSKILL.mdfiles to the Anthropic API to facilitate description refinement. This is a functional requirement for the skill's primary purpose.
Audit Metadata