Alicloud Ai Image Zimage Turbo
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to be a straightforward Alibaba Cloud image generator, but it uses a DashScope API key and writes generated images locally, so users should verify the endpoint and output path.
Install this only if you intend to use Alibaba Cloud DashScope for image generation. Configure the API key deliberately, avoid sensitive prompts unless you are comfortable sending them to Alibaba Cloud, keep `base_url` on official/trusted endpoints, and save outputs to a directory you control.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated image requests may consume Alibaba Cloud credits and are tied to the configured account.
The skill requires an Alibaba DashScope credential. This is expected for image generation, but it gives the skill access to a billable provider account.
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials` (env takes precedence).
Use a dedicated or least-privilege DashScope key if available, keep it out of shared logs, and rotate it if it may have been exposed.
A wrong base URL could send the API key and prompt to an unintended server, and an unintended output path could overwrite a local file.
The helper can post requests to a configurable endpoint and write the returned image to a user-specified path. This is useful for regional endpoints and local outputs, but it should be kept to trusted endpoints and intended file paths.
base_url = req.get("base_url") or os.getenv("DASHSCOPE_BASE_URL") or DEFAULT_BASE_URL ... download_image(result["image_url"], Path(args.output))Use the official DashScope Beijing or Singapore endpoint unless intentionally using a trusted proxy, and save outputs under the documented output directory.