ClawHub

Alicloud Ai Image Qwen Image Edit

Security checks across malware telemetry and agentic risk

Overview

This is a focused Alibaba Cloud Qwen image-edit helper with expected API-key and local-output behavior, and no evidence of hidden persistence or malicious activity.

Install this only if you intend to use Alibaba Cloud DashScope for image editing. Use a dedicated API key where possible, keep credentials out of source control and logs, review local output files for private prompts or image URLs, and consider pinning the dashscope SDK version for reproducible installs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The manifest and the rest of the document describe a narrowly scoped image-edit skill centered on preparing edit requests and handling edit responses. The workflow text introduces generic operational concepts like determining whether an operation is read-only or mutating and performing a read-only query first, which do not align with the documented image-edit interface or helper script and therefore actively misdescribe the skill's intended behavior.

Session Persistence

Medium
Category
Rogue Agent
Content
## Validation

```bash
mkdir -p output/alicloud-ai-image-qwen-image-edit
python -m py_compile skills/ai/image/alicloud-ai-image-qwen-image-edit/scripts/prepare_edit_request.py && echo "py_compile_ok" > output/alicloud-ai-image-qwen-image-edit/validate.txt
```
Confidence
60% confidence
Finding
mkdir -p output/alicloud-ai-image-qwen-image-edit python -m py_compile skills/ai/image/alicloud-ai-image-qwen-image-edit/scripts/prepare_edit_request.py && echo "py_compile_ok" > output/alicloud-ai-im

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal