Alicloud Ai Image Qwen Image
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Alibaba Cloud image-generation helper, but users should note that it uses DashScope credentials and sends prompts or reference images to Alibaba Cloud.
Install this only if you intend to use Alibaba Cloud DashScope for image generation. Use a scoped API key, consider pinning the dashscope SDK version, avoid submitting confidential prompts or reference images unless permitted, and periodically clean the local output directory.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may use your Alibaba Cloud DashScope API key, which can consume account quota or incur costs.
The helper can read a local Alibaba Cloud credentials profile to obtain a DashScope API key. This is expected for a DashScope image-generation provider, but it is sensitive account access and is not declared in the registry metadata.
credentials_path = Path(os.path.expanduser("~/.alibabacloud/credentials")) ... key = config.get(profile, "dashscope_api_key", fallback="").strip() ... os.environ["DASHSCOPE_API_KEY"] = keyUse a scoped DashScope key, verify the selected Alibaba Cloud profile, and avoid placing unrelated high-privilege credentials where this helper may read them.
Prompts and reference images may leave the local machine and be processed by the external provider.
The script can read a user-specified local reference image and include it in the DashScope API request. Sending prompts and reference images to the image-generation provider is core to the skill, but users should treat those inputs as data shared with Alibaba Cloud.
if path.exists():
return path.read_bytes()
...
response = ImageGeneration.call(
model=MODEL_NAME,
messages=messages,Do not submit private, regulated, or confidential images or prompts unless your Alibaba Cloud/DashScope data handling terms allow it.
Different or future SDK versions could change API behavior or dependency contents.
The setup instructions install the DashScope SDK without a pinned version. This is normal for an SDK-based integration, but it leaves behavior dependent on the package version resolved at install time.
python -m pip install dashscope
Install in a virtual environment and consider pinning a reviewed dashscope version for reproducible use.
Local output files may retain prompts, image URLs, or metadata after a run.
The skill intentionally persists prompts, generated image URLs, metadata, and sample responses as local evidence. This is disclosed and useful for debugging, but those saved prompts or URLs may contain sensitive project context.
Write generated image URLs, prompts, and metadata to `output/alicloud-ai-image-qwen-image/`. - Keep at least one sample JSON response per run.
Review and clean the output directory when prompts, reference images, or generated URLs are sensitive.