ClawAudit verdict
阿里云云效创建MR+发布+通知
ailiyun-yunxiao-mr-deploy
The skill appears to be a deployment tool for creating and managing MR (Merge Request) and automated workflows on Alibaba Cloud. It does not exhibit any malicious behavior and seems to follow secure practices by not directly exposing sensitive information and instead relying on environment variables.
⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (3)
References webhook/callback URL
SKILL.md · code · WEBHOOK_URL
Accesses shell history/config
SKILL.md · prose · downgraded · ~/.zshrc
Python os.environ.get — reads environment variable
ailiyun_yunxiao_mr_deploy.py · prose · downgraded · os.environ.get(
Permissions & capabilities
No declared permissions — minimal attack surface.
network_in Is this flag fair?
Thanks — recorded.