Qwen Video (Wan)
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real DashScope video-generation skill, but it disables HTTPS certificate checks while using your API key, so it should be reviewed or patched before use.
Use this skill only if you are comfortable sending prompts and optional audio URLs to Alibaba Cloud DashScope. Before running it, patch the scripts to remove curl -k, set a controlled output path, use a least-privilege API key if available, and monitor provider usage or billing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or misconfigured proxy could potentially intercept or tamper with API traffic, including the API key, prompts, task status, or video download URL.
The script disables TLS certificate verification with -k while sending the DashScope bearer token. The same unsafe pattern is also used for polling and downloading, increasing interception or tampering risk on untrusted networks.
RESP=$(curl -sS -k --location "$API_URL" ... -H "Authorization: Bearer $DASHSCOPE_API_KEY"
Remove -k from normal execution, require valid TLS certificates, and only allow an explicit debug option for insecure TLS with a clear warning.
Using the skill may consume quota or incur charges on the Alibaba Cloud account tied to the API key.
The skill requires a DashScope API key to submit paid/provider-side video-generation jobs. This is expected for the integration, but it gives the skill account-level provider authority for API usage.
export DASHSCOPE_API_KEY="sk-..."
Use a limited-purpose API key if available, monitor DashScope usage and billing, and avoid sending sensitive prompts or audio URLs.
Users may not realize before installation that the skill needs a DashScope credential and local command-line tools.
The registry metadata does not declare the source, homepage, required API-key environment variable, or command-line tooling used by the included scripts.
Source: unknown; Homepage: none; Required binaries: none; Required env vars: none
Declare DASHSCOPE_API_KEY and required tools such as curl/bash/python3 in metadata, and provide a verifiable project source or homepage if possible.