Alicloud Ai Entry Modelstudio
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is a coherent Alibaba Cloud Model Studio router, with expected SDK, API-key, and local-output notes but no evidence of hidden or malicious behavior.
This skill appears safe to use as an Alibaba Cloud Model Studio router. Before installing or using it, verify any downstream target skill it selects, install the dashscope SDK in a virtual environment, use a limited Alibaba API key, and review or delete saved output files if they contain sensitive content.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong routing choice or unreviewed new skill could cause the agent to use capabilities the user did not intend.
The skill delegates work to other local skills and may prompt creation of a missing skill. This is aligned with its router purpose, but it means downstream actions should be explicitly confirmed.
Route requests to existing local skills ... If capability is missing in repo, add a new skill first.
Confirm the selected target skill, parameters, and any new-skill creation before proceeding.
The API key may allow use of the user's Alibaba Cloud account and could incur costs or access account resources depending on its permissions.
The skill uses Alibaba Cloud credentials, which is expected for Model Studio API access, but credential access is still security-relevant.
Configure `DASHSCOPE_API_KEY` (environment variable preferred; or `dashscope_api_key` in `~/.alibabacloud/credentials`).
Use a least-privilege API key, avoid pasting secrets into chat, and revoke or rotate the key if it may have been exposed.
Installing an unpinned package can pull a newer or compromised version in the future.
The setup instructions install an external Python package without pinning a version. This is user-directed and purpose-aligned, but package provenance and version drift matter.
python -m pip install dashscope
Install from a trusted package source and consider pinning a known-good dashscope version in a virtual environment.
Sensitive generated content or request details may remain on disk after the task completes.
The skill persists outputs and summaries locally. This is scoped and useful for evidence, but the saved data may include sensitive prompts, media URLs, identifiers, or response contents.
Save artifacts, command outputs, and API response summaries under `output/alicloud-ai-entry-modelstudio/`.
Review saved files before sharing them and delete the output directory when the evidence is no longer needed.