← Back to Skills Marketplace
276
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install ucloud-infra
Description
UCloud Cloud Management - Complete Version
Usage Guidance
This skill mostly does what it says (wraps the UCloud CLI) but has a few red flags you should consider before installing:
- UCLOUD_PROJECT_ID is required by the script but not declared as required in the skill metadata or emphasized in the SKILL.md; set this env var or the skill will exit. Ask the publisher to update metadata/documentation.
- The script logs create/delete operations to a logs directory and records parameters verbatim. That can include VM/DB passwords and other sensitive details. If you install, review and relocate/secure the logs (or disable logging) and avoid passing secrets via CLI flags.
- The script builds the ucloud command with --public-key/--private-key as arguments, which can expose credentials to other local users via process listings. Prefer configuration via protected env vars or other safer auth mechanisms if available.
- The skill executes the 'ucloud' CLI via child_process.exec. Ensure the official ucloud CLI is installed from a trusted source and run the skill in a restricted environment if you have sensitive accounts.
- Review the included ucloud.mjs file yourself (or have an admin do so) to confirm logging behavior and ensure it uses only the commands you expect. Consider using short-lived API keys and least privilege for the credentials you supply; rotate keys after testing.
Given these issues, do not install blindly in a production environment. Ask the publisher to (1) declare UCLOUD_PROJECT_ID as required, (2) avoid logging secrets or sanitize logs, and (3) avoid passing secret keys on the command line. If you cannot get these changes, run the skill in an isolated sandbox and only with test/limited-permission credentials.
Capability Analysis
Type: OpenClaw Skill
Name: ucloud-infra
Version: 1.0.0
The skill bundle is classified as suspicious due to a critical shell injection vulnerability in `ucloud.mjs`. The script constructs shell commands by joining unsanitized user-provided arguments (such as passwords and resource names) and executes them via `child_process.exec`, which allows for arbitrary command execution. Additionally, the script logs sensitive information, including plain-text passwords, to local log files. While these represent severe security flaws, they appear to be unintentional vulnerabilities rather than intentional malware, as the tool's behavior aligns with its stated purpose of UCloud resource management.
Capability Assessment
Purpose & Capability
The skill's name/description (UCloud cloud management) matches the code: ucloud.mjs calls the UCloud CLI with UCLOUD_PUBLIC_KEY and UCLOUD_PRIVATE_KEY. However the script requires UCLOUD_PROJECT_ID at runtime (it exits if missing) even though SKILL.md and registry metadata mark UCLOUD_PROJECT_ID as optional or omit it from required.env — this is an internal inconsistency that will break expected usage and is not declared in the registry metadata.
Instruction Scope
SKILL.md instructs installing the UCloud CLI and running the included Node script; the script uses child_process.exec to run the 'ucloud' binary and writes operation logs to a logs directory under the process working directory. The logger records create/delete parameters verbatim (including values.password) and command outputs, which can store sensitive information (passwords, parameters, possibly returned secrets) on disk. The SKILL.md and README state logs are written but do not warn that passwords/API artifacts may be stored. This is scope creep/privacy risk relative to a simple management wrapper.
Install Mechanism
This is essentially an instruction-only skill with an included script; there is no external install spec or remote download. No high-risk install behavior (no arbitrary URL downloads or archive extraction) was found. The included .claude/settings.local.json allows Bash(node:*) execution — consistent with the script using exec, but note this grants the agent permission to run shell/Node commands.
Credentials
Declared required env vars in registry metadata are UCLOUD_PUBLIC_KEY and UCLOUD_PRIVATE_KEY (primaryEnv = UCLOUD_PUBLIC_KEY) which is expected. However the runtime code also requires UCLOUD_PROJECT_ID (and will exit if it's not set), yet UCLOUD_PROJECT_ID is not declared as required. The script passes the public/private keys as command-line arguments to the 'ucloud' CLI (exposed in the constructed command string), which can be visible to other local processes via process listings. The number of env vars is small and relevant, but the omission of UCLOUD_PROJECT_ID from the manifest and the CLI-arg exposure of secrets are notable risks.
Persistence & Privilege
The skill is user-invocable and allows autonomous invocation (disable-model-invocation: false) — that is the platform default and not flagged alone. always:false (not force-included). The skill writes logs to disk (logs/ucloud-operations-YYYY-MM-DD.jsonl) under process.cwd(), but it does not attempt to modify other skills or system-wide config.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ucloud-infra - After installation, invoke the skill by name or use
/ucloud-infra - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of the complete UCloud cloud management skill.
- Supports full management for all major UCloud resource types (uhost, MySQL, Redis, EIP, udisk, ULB, VPC, Firewall, etc.)
- Offers listing, creation, deletion, configuration, resizing, and more for each resource type
- Requires UCloud CLI and relevant API environment variables (UCLOUD_PUBLIC_KEY, UCLOUD_PRIVATE_KEY)
- Provides comprehensive usage instructions and command examples for common UCloud operations
- Automatically logs all create/delete operations in structured log files
- Standardized JSON output for both success and error responses
┌──────────┬───────┬──────────────────────────────────────────────────┐
│ 产品 │ 资源 │ 支持的操作 │
│ │ 标识 │ │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 云主机 │ uhost │ list, create, start, stop, restart, delete, │
│ │ │ reset-password, resize │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ │ │ list, create, start, stop, restart, delete, │
│ MySQL │ mysql │ reset-password, resize, restore, create-slave, │
│ 数据库 │ │ promote-slave,以及配置管理(conf)、备份(backup) │
│ │ │ 、日志(logs) │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ Redis │ redis │ list, create, start, stop, restart, delete │
│ 缓存 │ │ │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ Memcache │ memca │ list, create, restart, delete │
│ d 缓存 │ ched │ │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 弹性IP │ eip │ list, allocate, bind, unbind, release, │
│ │ │ modify-bw, modify-traffic-mode │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ │ │ list, create, delete, attach, detach, expand, │
│ 云硬盘 │ udisk │ snapshot, list-snapshot, delete-snapshot, │
│ │ │ restore │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 负载均衡 │ ulb │ list, create, delete, update,以及虚拟服务器(vse │
│ │ │ rver)、后端(backend)、策略(policy)、SSL证书管理 │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 虚拟私有 │ vpc │ list, create, delete, create-intercome, │
│ 云 │ │ delete-intercome, list-intercome │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 子网 │ subne │ list, create, delete, list-resource │
│ │ t │ │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 防火墙 │ firew │ list, create, delete, update, apply, add-rule, │
│ │ all │ remove-rule, resource, copy │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 镜像 │ image │ list, create, delete, copy │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 项目 │ proje │ list, create, update, delete │
│ │ ct │ │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ GlobalSS │ gssh │ list, create, delete, update, location │
│ H加速 │ │ │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 全球加速 │ pathx │ UGA(list/create/delete/describe/add-port/delete- │
│ │ │ port)、UPath │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 对等连接 │ udpn │ list, create, delete, modify-bw │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 物理主机 │ uphos │ list │
│ │ t │ │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ │ │ 带宽包(pkg): │
│ 带宽包 │ bw │ list/create/delete;共享带宽(shared): │
│ │ │ list/create/delete/resize │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 区域查询 │ regio │ list │
│ │ n │ │
└──────────┴───────┴──────────────────────────────────────────────────┘
Metadata
Frequently Asked Questions
What is ucloud-infra?
UCloud Cloud Management - Complete Version. It is an AI Agent Skill for Claude Code / OpenClaw, with 276 downloads so far.
How do I install ucloud-infra?
Run "/install ucloud-infra" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ucloud-infra free?
Yes, ucloud-infra is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does ucloud-infra support?
ucloud-infra is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ucloud-infra?
It is built and maintained by qianjunye (@qianjunye); the current version is v1.0.0.
More Skills