ClawHub

Alicloud Ai Entry Modelstudio Test

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Alibaba Cloud Model Studio test workflow, with expected cloud API use and local result files but no hidden or destructive behavior found.

Install only if you intend to run Alibaba Cloud Model Studio tests. Use a dedicated test API key where possible, avoid sensitive prompts or media, confirm any generation, editing, voice-cloning, or billable operation before running it, and review or delete saved output files before sharing or committing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The workflow says to 'run one minimal read-only query first' and asks whether the operation is read-only or mutating, but this skill's stated purpose is to execute tests for capabilities such as text-to-image, text-to-video, image editing, voice clone, and voice design, which create or transform content rather than perform read-only queries. That documentation creates a misleading impression about the nature of the operations the skill actually directs the user to run.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This markdown file instructs the user to install the SDK, configure `DASHSCOPE_API_KEY`, and run SDK calls against multiple Model Studio capabilities, including audio, image, video, and multimodal services. While the workflow mentions confirming intent and scope, it does not explicitly warn that user inputs and artifacts will be transmitted to a third-party service and may have privacy or billing implications.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal