Aliyun Animate Anyone
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a straightforward Alibaba Cloud AnimateAnyone helper, but it uses Alibaba credentials, public media URLs, and local output files that users should handle carefully.
This skill looks safe for its stated purpose. Before using it, make sure you are comfortable sending the selected media to Alibaba Cloud, avoid using sensitive public URLs, and protect or clean up the local output folder and API credentials.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume or access resources under the user's Alibaba Cloud account.
The skill requires an Alibaba/DashScope API credential for its provider workflow, even though registry metadata lists no required credential. This is expected for the service but should be explicit to users.
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Use a dedicated, least-privilege API key where possible, avoid sharing the key in prompts, and remove or rotate it if no longer needed.
Private or sensitive images/videos could be exposed if the user hosts them at public URLs or sends them to the provider.
The provider flow requires the user's image or video inputs to be reachable by URL, which means media may be accessible outside the local machine and processed by Alibaba Cloud.
Input files must be public HTTP/HTTPS URLs.
Use only media you are comfortable sending to Alibaba Cloud, prefer short-lived or access-controlled URLs when supported, and remove hosted files after the job completes.
Anyone with access to the output directory may see details about the generated video request.
The skill intentionally persists request and task artifacts locally. This is scoped and disclosed, but those files may contain media URLs, template IDs, or task metadata.
Save normalized request payloads, detection outputs, template IDs, and task polling snapshots under `output/aliyun-animate-anyone/`.
Review, secure, or delete `output/aliyun-animate-anyone/` after use if the inputs or generated task details are sensitive.