Alicloud Ai Video Wan Video
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do its stated job of generating Alibaba DashScope videos, but users should notice that it uses provider credentials, may upload local reference images, and installs an external SDK.
Install only if you intend to use Alibaba Cloud DashScope for video generation. Use a dedicated API key, review any local image paths before running, keep outputs/logs in a safe directory, and consider pinning the DashScope SDK version in a virtual environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the script may use your DashScope account and could incur provider usage or expose account access if the key is too broad.
The script can read a local Alibaba Cloud credentials profile and use the DashScope API key for provider access. This is expected for the stated integration and the code does not show credential logging or unrelated use, but it is sensitive account authority.
credentials_path = Path(os.path.expanduser("~/.alibabacloud/credentials")) ... key = config.get(profile, "dashscope_api_key", fallback="").strip() ... os.environ["DASHSCOPE_API_KEY"] = keyUse a dedicated DashScope API key with limited scope/quota where possible, and confirm which profile or environment key will be used before running generation.
A local image path supplied as a reference image may leave your machine and be processed by Alibaba Cloud DashScope.
The skill discloses that local reference images may be uploaded to the external DashScope provider. This is necessary for image-to-video generation, but it is a sensitive data-transfer boundary.
`reference_image` can be a URL or local path; the SDK auto-uploads local files.
Only provide reference images you are comfortable uploading to DashScope, and avoid passing paths to private or unrelated local files.
The behavior of the installed SDK can change over time depending on the package version resolved at install time.
The documentation instructs users to install the DashScope SDK from Python packaging without a pinned version. This is a normal dependency for the provider integration, but version/provenance are not locked by the artifacts.
python -m pip install dashscope
Install in a virtual environment, consider pinning a reviewed DashScope version, and obtain the package from the official package index.