ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Entry Modelstudio

v1.0.3

Route Alibaba Cloud Model Studio requests to the right local skill (Qwen Image, Qwen Image Edit, Wan Video, Wan R2V, Qwen TTS, Qwen ASR and advanced TTS vari...

0· 1.1k·2 current·2 all-time
by@cinience
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a router that dispatches Model Studio requests to local sub-skills; that purpose is coherent with the routing table and workflow. However the instructions require a DashScope SDK and a DASHSCOPE_API_KEY (or a ~/.alibabacloud/credentials entry), yet the skill metadata declares no required environment variables or credentials. The requested credential access is plausible for polling async tasks, but the metadata/manifest should have declared it.
!
Instruction Scope
Instructions explicitly tell the agent to install a Python package (dashscope), set or read DASHSCOPE_API_KEY or ~/.alibabacloud/credentials, poll an external dashscope.aliyuncs.com endpoint, and save evidence files containing region/resource ids/time ranges. These actions are within a cloud-integration scenario but the SKILL.md references environment/config locations not declared in the manifest and asks the agent to produce artifacts that may contain sensitive identifiers.
Install Mechanism
This is an instruction-only skill (no install spec). It tells the operator to pip install dashscope inside a venv. That is a moderate-risk instruction because dashscope is a third-party PyPI package (unknown from this package alone). No automatic downloads or obscure URLs are present in the skill itself, but the package should be verified before installing.
!
Credentials
The skill metadata lists no required environment variables, but the runtime instructions require DASHSCOPE_API_KEY or reading ~/.alibabacloud/credentials. It also asks the agent to include region/resource ids and times in output artifacts. Requesting a single cloud API key for polling is reasonable, but the omission in metadata and the potential to store sensitive identifiers in output files are disproportionate and should be clarified.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time persistence. It does instruct saving output artifacts under output/alicloud-ai-entry-modelstudio/, which is expected for reproducibility and is a limited filesystem footprint.
Scan Findings in Context
[NO_REGEX_MATCHES] expected: The repo is instruction-only (no code files), so the regex scanner had nothing to analyze; absence of findings is expected but not evidence of safety.
What to consider before installing
This skill appears to be a router for Alibaba Cloud Model Studio but there are a few mismatches and modest risks to check before installing or running it: 1) Metadata vs. instructions: ask the author to add DASHSCOPE_API_KEY (or equivalent) to the skill's declared requires.env so the manifest matches runtime needs. 2) Verify the dashscope package on PyPI (or the project homepage) before pip installing; prefer installing in an isolated virtualenv. 3) Confirm you trust the referenced local skill paths (skills/ai/...) — the router will dispatch requests there; review those skills for unexpected behavior. 4) Be aware the instructions reference ~/.alibabacloud/credentials and ask you to save region/resource IDs/time ranges to output files; ensure those outputs do not leak secrets or tenancy-identifying information you don't want stored. 5) If you want stronger safety, request the skill author to: add a clear requires.env entry, document exactly what dashscope API calls will be made, and avoid storing sensitive identifiers in output artifacts or provide explicit redaction guidance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b1d74d99kkk1cvwed8h8c6182qtev
1.1kdownloads
0stars
4versions
Updated 23h ago
v1.0.3
MIT-0
@cinience
latest
Download

Category: task

Alibaba Cloud Model Studio Entry (Routing)

Route requests to existing local skills to avoid duplicating model/parameter details.

Prerequisites

  • Install SDK (virtual environment recommended to avoid PEP 668 restrictions):
python3 -m venv .venv
. .venv/bin/activate
python -m pip install dashscope
  • Configure DASHSCOPE_API_KEY (environment variable preferred; or dashscope_api_key in ~/.alibabacloud/credentials).

Routing Table (currently supported in this repo)

NeedTarget skill
Text-to-image / image generationskills/ai/image/alicloud-ai-image-qwen-image/
Image editingskills/ai/image/alicloud-ai-image-qwen-image-edit/
Text-to-video / image-to-video (i2v)skills/ai/video/alicloud-ai-video-wan-video/
Reference-to-video (r2v)skills/ai/video/alicloud-ai-video-wan-r2v/
Text-to-speech (TTS)skills/ai/audio/alicloud-ai-audio-tts/
Speech recognition/transcription (ASR)skills/ai/audio/alicloud-ai-audio-asr/
Realtime speech recognitionskills/ai/audio/alicloud-ai-audio-asr-realtime/
Realtime TTSskills/ai/audio/alicloud-ai-audio-tts-realtime/
Live speech translationskills/ai/audio/alicloud-ai-audio-livetranslate/
CosyVoice voice cloneskills/ai/audio/alicloud-ai-audio-cosyvoice-voice-clone/
CosyVoice voice designskills/ai/audio/alicloud-ai-audio-cosyvoice-voice-design/
Voice cloneskills/ai/audio/alicloud-ai-audio-tts-voice-clone/
Voice designskills/ai/audio/alicloud-ai-audio-tts-voice-design/
Omni multimodal interactionskills/ai/multimodal/alicloud-ai-multimodal-qwen-omni/
Visual reasoningskills/ai/multimodal/alicloud-ai-multimodal-qvq/
Text embeddingsskills/ai/search/alicloud-ai-search-text-embedding/
Rerankskills/ai/search/alicloud-ai-search-rerank/
Vector retrievalskills/ai/search/alicloud-ai-search-dashvector/ or skills/ai/search/alicloud-ai-search-opensearch/ or skills/ai/search/alicloud-ai-search-milvus/
Document understandingskills/ai/text/alicloud-ai-text-document-mind/
Video editingskills/ai/video/alicloud-ai-video-wan-edit/
Model list crawl/updateskills/ai/misc/alicloud-ai-misc-crawl-and-skill/

When Not Matched

  • Clarify model capability and input/output type first.
  • If capability is missing in repo, add a new skill first.

Common Missing Capabilities In This Repo (remaining gaps)

  • text generation/chat (LLM)

  • multimodal embeddings

  • OCR-specialized extraction and image translation

  • virtual try-on / digital human / advanced video personas

  • For multimodal/ASR download failures, prefer public URLs listed above.

  • For ASR parameter errors, use data URI in input_audio.data.

  • For multimodal embedding 400, ensure input.contents is an array.

Async Task Polling Template (video/long-running tasks)

When X-DashScope-Async: enable returns task_id, poll as follows:

GET https://dashscope.aliyuncs.com/api/v1/tasks/<task_id>
Authorization: Bearer $DASHSCOPE_API_KEY

Example result fields (success):

{
  "output": {
    "task_status": "SUCCEEDED",
    "video_url": "https://..."
  }
}

Notes:

  • Recommended polling interval: 15-20 seconds, max 10 attempts.
  • After success, download output.video_url.

Clarifying questions (ask when uncertain)

  1. Are you working with text, image, audio, or video?
  2. Is this generation, editing/understanding, or retrieval?
  3. Do you need speech (TTS/ASR/live translate) or retrieval (embedding/rerank/vector DB)?
  4. Do you want runnable SDK scripts or just API/parameter guidance?

References

  • Model list and links:output/alicloud-model-studio-models-summary.md

  • API/parameters/examples: see target sub-skill SKILL.md and references/*.md

  • Official source list:references/sources.md

Validation

mkdir -p output/alicloud-ai-entry-modelstudio
echo "validation_placeholder" > output/alicloud-ai-entry-modelstudio/validate.txt

Pass criteria: command exits 0 and output/alicloud-ai-entry-modelstudio/validate.txt is generated.

Output And Evidence

  • Save artifacts, command outputs, and API response summaries under output/alicloud-ai-entry-modelstudio/.
  • Include key parameters (region/resource id/time range) in evidence files for reproducibility.

Workflow

  1. Confirm user intent, region, identifiers, and whether the operation is read-only or mutating.
  2. Run one minimal read-only query first to verify connectivity and permissions.
  3. Execute the target operation with explicit parameters and bounded scope.
  4. Verify results and save output/evidence files.

Comments

Loading comments...