Alibaba Super Resolution

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a coherent Alibaba Cloud video upscaling skill, but users should notice that it uses cloud credentials, uploads videos to Alibaba, and relies on Python dependencies installed by the user.

Before installing, create a least-privileged Alibaba Cloud access key, install dependencies in an isolated environment, and only process videos that are safe to upload to Alibaba Cloud. The artifacts do not show deception or unrelated data access.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

Medium

What this means

If the access key is too broad, the skill could submit billable jobs or use Alibaba Cloud permissions beyond what the user intended.

Why it was flagged

The skill requires Alibaba Cloud credentials to call the intended service. This is purpose-aligned, but it gives the tool delegated cloud-account authority and is not declared in the registry requirements.

Skill content

export ALIBABA_CLOUD_ACCESS_KEY_ID="your-access-key-id"
export ALIBABA_CLOUD_ACCESS_KEY_SECRET="your-access-key-secret"

Recommendation

Use a least-privileged Alibaba RAM access key scoped to the needed video-enhancement and optional OSS permissions; avoid root or broad long-lived keys.

#ASI07: Insecure Inter-Agent Communication

Medium

What this means

Private or confidential videos may be transmitted to and processed by Alibaba Cloud, and generated output URLs may be sensitive while valid.

Why it was flagged

The tool reads the user's local video and sends it to Alibaba Cloud for processing. This is central to the skill's purpose, but it is still a sensitive third-party data flow.

Skill content

with open(input_file, 'rb') as f:
    video_data = io.BytesIO(f.read())
...
request.video_url_object = video_data
...
response = self.client.super_resolve_video_advance(request, runtime)

Recommendation

Only use the skill for videos you are allowed to upload to Alibaba Cloud; review provider region, retention, and sharing expectations, and avoid exposing output URLs.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Future dependency updates could change behavior or introduce dependency-level vulnerabilities.

Why it was flagged

The dependency versions are not pinned exactly, so a user-directed install may resolve newer package versions than those originally tested.

Skill content

requests>=2.31.0
alibabacloud_tea_openapi>=0.3.0
alibabacloud_tea_util>=0.3.0
alibabacloud_videoenhan20200320>=1.1.0

Recommendation

Install in an isolated virtual environment and consider pinning exact versions or using hashes for reproducible installs.