Qwen Video (Wan)
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: qwen-video Version: 1.1.0 The skill is suspicious due to two significant vulnerabilities. All `curl` commands in `scripts/generate.sh`, `scripts/poll.sh`, and `scripts/submit.sh` use the `-k` (insecure) flag, disabling SSL certificate validation and making API communication vulnerable to Man-in-the-Middle (MITM) attacks. Furthermore, `scripts/submit.sh` directly embeds user-provided `$PROMPT` and `$AUDIO_URL` into a JSON payload without proper escaping, creating a JSON injection vulnerability that could lead to malformed API requests or unexpected behavior.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker or misconfigured proxy could potentially intercept or tamper with API traffic, including the API key, prompts, task status, or video download URL.
The script disables TLS certificate verification with -k while sending the DashScope bearer token. The same unsafe pattern is also used for polling and downloading, increasing interception or tampering risk on untrusted networks.
RESP=$(curl -sS -k --location "$API_URL" ... -H "Authorization: Bearer $DASHSCOPE_API_KEY"
Remove -k from normal execution, require valid TLS certificates, and only allow an explicit debug option for insecure TLS with a clear warning.
Using the skill may consume quota or incur charges on the Alibaba Cloud account tied to the API key.
The skill requires a DashScope API key to submit paid/provider-side video-generation jobs. This is expected for the integration, but it gives the skill account-level provider authority for API usage.
export DASHSCOPE_API_KEY="sk-..."
Use a limited-purpose API key if available, monitor DashScope usage and billing, and avoid sending sensitive prompts or audio URLs.
Users may not realize before installation that the skill needs a DashScope credential and local command-line tools.
The registry metadata does not declare the source, homepage, required API-key environment variable, or command-line tooling used by the included scripts.
Source: unknown; Homepage: none; Required binaries: none; Required env vars: none
Declare DASHSCOPE_API_KEY and required tools such as curl/bash/python3 in metadata, and provide a verifiable project source or homepage if possible.