← 返回 Skills 市场
276
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install ucloud-infra
功能描述
UCloud Cloud Management - Complete Version
安全使用建议
This skill mostly does what it says (wraps the UCloud CLI) but has a few red flags you should consider before installing:
- UCLOUD_PROJECT_ID is required by the script but not declared as required in the skill metadata or emphasized in the SKILL.md; set this env var or the skill will exit. Ask the publisher to update metadata/documentation.
- The script logs create/delete operations to a logs directory and records parameters verbatim. That can include VM/DB passwords and other sensitive details. If you install, review and relocate/secure the logs (or disable logging) and avoid passing secrets via CLI flags.
- The script builds the ucloud command with --public-key/--private-key as arguments, which can expose credentials to other local users via process listings. Prefer configuration via protected env vars or other safer auth mechanisms if available.
- The skill executes the 'ucloud' CLI via child_process.exec. Ensure the official ucloud CLI is installed from a trusted source and run the skill in a restricted environment if you have sensitive accounts.
- Review the included ucloud.mjs file yourself (or have an admin do so) to confirm logging behavior and ensure it uses only the commands you expect. Consider using short-lived API keys and least privilege for the credentials you supply; rotate keys after testing.
Given these issues, do not install blindly in a production environment. Ask the publisher to (1) declare UCLOUD_PROJECT_ID as required, (2) avoid logging secrets or sanitize logs, and (3) avoid passing secret keys on the command line. If you cannot get these changes, run the skill in an isolated sandbox and only with test/limited-permission credentials.
功能分析
Type: OpenClaw Skill
Name: ucloud-infra
Version: 1.0.0
The skill bundle is classified as suspicious due to a critical shell injection vulnerability in `ucloud.mjs`. The script constructs shell commands by joining unsanitized user-provided arguments (such as passwords and resource names) and executes them via `child_process.exec`, which allows for arbitrary command execution. Additionally, the script logs sensitive information, including plain-text passwords, to local log files. While these represent severe security flaws, they appear to be unintentional vulnerabilities rather than intentional malware, as the tool's behavior aligns with its stated purpose of UCloud resource management.
能力评估
Purpose & Capability
The skill's name/description (UCloud cloud management) matches the code: ucloud.mjs calls the UCloud CLI with UCLOUD_PUBLIC_KEY and UCLOUD_PRIVATE_KEY. However the script requires UCLOUD_PROJECT_ID at runtime (it exits if missing) even though SKILL.md and registry metadata mark UCLOUD_PROJECT_ID as optional or omit it from required.env — this is an internal inconsistency that will break expected usage and is not declared in the registry metadata.
Instruction Scope
SKILL.md instructs installing the UCloud CLI and running the included Node script; the script uses child_process.exec to run the 'ucloud' binary and writes operation logs to a logs directory under the process working directory. The logger records create/delete parameters verbatim (including values.password) and command outputs, which can store sensitive information (passwords, parameters, possibly returned secrets) on disk. The SKILL.md and README state logs are written but do not warn that passwords/API artifacts may be stored. This is scope creep/privacy risk relative to a simple management wrapper.
Install Mechanism
This is essentially an instruction-only skill with an included script; there is no external install spec or remote download. No high-risk install behavior (no arbitrary URL downloads or archive extraction) was found. The included .claude/settings.local.json allows Bash(node:*) execution — consistent with the script using exec, but note this grants the agent permission to run shell/Node commands.
Credentials
Declared required env vars in registry metadata are UCLOUD_PUBLIC_KEY and UCLOUD_PRIVATE_KEY (primaryEnv = UCLOUD_PUBLIC_KEY) which is expected. However the runtime code also requires UCLOUD_PROJECT_ID (and will exit if it's not set), yet UCLOUD_PROJECT_ID is not declared as required. The script passes the public/private keys as command-line arguments to the 'ucloud' CLI (exposed in the constructed command string), which can be visible to other local processes via process listings. The number of env vars is small and relevant, but the omission of UCLOUD_PROJECT_ID from the manifest and the CLI-arg exposure of secrets are notable risks.
Persistence & Privilege
The skill is user-invocable and allows autonomous invocation (disable-model-invocation: false) — that is the platform default and not flagged alone. always:false (not force-included). The skill writes logs to disk (logs/ucloud-operations-YYYY-MM-DD.jsonl) under process.cwd(), but it does not attempt to modify other skills or system-wide config.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install ucloud-infra - 安装完成后,直接呼叫该 Skill 的名称或使用
/ucloud-infra触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of the complete UCloud cloud management skill.
- Supports full management for all major UCloud resource types (uhost, MySQL, Redis, EIP, udisk, ULB, VPC, Firewall, etc.)
- Offers listing, creation, deletion, configuration, resizing, and more for each resource type
- Requires UCloud CLI and relevant API environment variables (UCLOUD_PUBLIC_KEY, UCLOUD_PRIVATE_KEY)
- Provides comprehensive usage instructions and command examples for common UCloud operations
- Automatically logs all create/delete operations in structured log files
- Standardized JSON output for both success and error responses
┌──────────┬───────┬──────────────────────────────────────────────────┐
│ 产品 │ 资源 │ 支持的操作 │
│ │ 标识 │ │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 云主机 │ uhost │ list, create, start, stop, restart, delete, │
│ │ │ reset-password, resize │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ │ │ list, create, start, stop, restart, delete, │
│ MySQL │ mysql │ reset-password, resize, restore, create-slave, │
│ 数据库 │ │ promote-slave,以及配置管理(conf)、备份(backup) │
│ │ │ 、日志(logs) │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ Redis │ redis │ list, create, start, stop, restart, delete │
│ 缓存 │ │ │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ Memcache │ memca │ list, create, restart, delete │
│ d 缓存 │ ched │ │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 弹性IP │ eip │ list, allocate, bind, unbind, release, │
│ │ │ modify-bw, modify-traffic-mode │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ │ │ list, create, delete, attach, detach, expand, │
│ 云硬盘 │ udisk │ snapshot, list-snapshot, delete-snapshot, │
│ │ │ restore │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 负载均衡 │ ulb │ list, create, delete, update,以及虚拟服务器(vse │
│ │ │ rver)、后端(backend)、策略(policy)、SSL证书管理 │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 虚拟私有 │ vpc │ list, create, delete, create-intercome, │
│ 云 │ │ delete-intercome, list-intercome │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 子网 │ subne │ list, create, delete, list-resource │
│ │ t │ │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 防火墙 │ firew │ list, create, delete, update, apply, add-rule, │
│ │ all │ remove-rule, resource, copy │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 镜像 │ image │ list, create, delete, copy │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 项目 │ proje │ list, create, update, delete │
│ │ ct │ │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ GlobalSS │ gssh │ list, create, delete, update, location │
│ H加速 │ │ │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 全球加速 │ pathx │ UGA(list/create/delete/describe/add-port/delete- │
│ │ │ port)、UPath │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 对等连接 │ udpn │ list, create, delete, modify-bw │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 物理主机 │ uphos │ list │
│ │ t │ │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ │ │ 带宽包(pkg): │
│ 带宽包 │ bw │ list/create/delete;共享带宽(shared): │
│ │ │ list/create/delete/resize │
├──────────┼───────┼──────────────────────────────────────────────────┤
│ 区域查询 │ regio │ list │
│ │ n │ │
└──────────┴───────┴──────────────────────────────────────────────────┘
元数据
常见问题
ucloud-infra 是什么?
UCloud Cloud Management - Complete Version. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 276 次。
如何安装 ucloud-infra?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install ucloud-infra」即可一键安装,无需额外配置。
ucloud-infra 是免费的吗?
是的,ucloud-infra 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
ucloud-infra 支持哪些平台?
ucloud-infra 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 ucloud-infra?
由 qianjunye(@qianjunye)开发并维护,当前版本 v1.0.0。
推荐 Skills