Alicloud Ai Entry Modelstudio
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong routing choice or unreviewed new skill could cause the agent to use capabilities the user did not intend.
The skill delegates work to other local skills and may prompt creation of a missing skill. This is aligned with its router purpose, but it means downstream actions should be explicitly confirmed.
Route requests to existing local skills ... If capability is missing in repo, add a new skill first.
Confirm the selected target skill, parameters, and any new-skill creation before proceeding.
The API key may allow use of the user's Alibaba Cloud account and could incur costs or access account resources depending on its permissions.
The skill uses Alibaba Cloud credentials, which is expected for Model Studio API access, but credential access is still security-relevant.
Configure `DASHSCOPE_API_KEY` (environment variable preferred; or `dashscope_api_key` in `~/.alibabacloud/credentials`).
Use a least-privilege API key, avoid pasting secrets into chat, and revoke or rotate the key if it may have been exposed.
Installing an unpinned package can pull a newer or compromised version in the future.
The setup instructions install an external Python package without pinning a version. This is user-directed and purpose-aligned, but package provenance and version drift matter.
python -m pip install dashscope
Install from a trusted package source and consider pinning a known-good dashscope version in a virtual environment.
Sensitive generated content or request details may remain on disk after the task completes.
The skill persists outputs and summaries locally. This is scoped and useful for evidence, but the saved data may include sensitive prompts, media URLs, identifiers, or response contents.
Save artifacts, command outputs, and API response summaries under `output/alicloud-ai-entry-modelstudio/`.
Review saved files before sharing them and delete the output directory when the evidence is no longer needed.