ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alicloud Ai Entry Modelstudio Test

v1.0.3

Run a minimal test matrix for the Model Studio skills that exist in this repo, including image/video/audio, realtime speech, omni, visual reasoning, embeddin...

0· 1.1k·3 current·3 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose—run a minimal test matrix across many Model Studio sub-skills—matches the SKILL.md steps (open sub-skill SKILL.md, run one request per sub-skill). However the manifest metadata does not declare the credential/config needs that the instructions require (see environment_proportionality).
!
Instruction Scope
Runtime instructions tell the operator to install the 'dashscope' SDK, set DASHSCOPE_API_KEY or use ~/.alibabacloud/credentials, read many sub-skill SKILL.md files, run SDK/API calls, and save evidence including region/resource IDs/time ranges. That is expected for testing, but it also means tests may access real cloud resources, be mutating (some operations may create or modify content), and will record potentially sensitive identifiers into repository files—there is no built-in safeguard to enforce read-only testing.
Install Mechanism
This is instruction-only (no install spec). SKILL.md requires creating a venv and pip-installing 'dashscope'. That is a common pattern, but the package name is not validated in the metadata (no lockfile or vetted source). Installing arbitrary PyPI packages carries moderate risk—verify the package provenance before pip install.
!
Credentials
The SKILL.md explicitly requires DASHSCOPE_API_KEY (or ~/.alibabacloud/credentials) but the registry metadata lists no required env vars or config paths. This mismatch is material: the skill needs cloud credentials to function but does not declare them, which can mislead reviewers and automated gates.
Persistence & Privilege
always is false and the skill is instruction-only with no install spec that persists code or modifies other skills/config. It does instruct saving test outputs under an output/ path in the repo, which is normal for test artifacts.
What to consider before installing
Before running: (1) Expect to provide an Alibaba Cloud API key (DASHSCOPE_API_KEY) or credentials file—the registry metadata does not declare this, so add or verify it. (2) Run tests in an isolated environment (fresh venv, dedicated or limited-scope API key) so any accidental mutating calls or credentials are confined. (3) Inspect each referenced sub-skill's SKILL.md to confirm the exact API calls and whether they are read-only; some capabilities (video/editing/voice cloning) may create resources or be billable. (4) Verify the 'dashscope' PyPI package/project identity before pip install (ensure it's from the official source). (5) Avoid committing output files that include region/resource IDs, API keys, or other sensitive identifiers; sanitize or store evidence securely. (6) Consider updating the skill metadata to declare DASHSCOPE_API_KEY and the ~/.alibabacloud/credentials config path so automated reviewers and users are aware of the credential requirement.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e1agjcm1rzkpcnn1188e0v182pk1w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments