aliyun-cli-manage

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill includes explicit examples that pass access keys/secrets as command-line arguments (aliyun configure set --access-key-id --access-key-secret ) and asks to save request parameters, which can force the agent to output or log secret values verbatim despite also suggesting environment variables as an alternative.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The ensure_aliyun_cli.py script downloads and installs a remote binary at runtime from https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz, which is then installed and executed as the aliyun CLI, so this URL is a runtime external dependency that executes remote code.