Aliyun Cosyvoice Voice Clone
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears benign: it provides a disclosed Alibaba Cloud CosyVoice voice-cloning workflow, but users should protect the API key, use authorized audio only, and note that enrollment creates provider-side resources and local output files.
Before installing or using this skill, confirm you have permission to clone the referenced voice, use a protected Alibaba Cloud API key, review any enrollment request before sending it, and avoid sharing the generated output files if they contain sample URLs or voice enrollment details.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Repeated or accidental enrollment requests may create unwanted custom voices or consume cloud quota.
The skill's intended API workflow can mutate the user's Alibaba Cloud account by creating a custom voice and using quota. This is disclosed and central to the stated voice-cloning purpose.
Avoid frequent enrollment calls; each call creates a new custom voice and consumes quota.
Run enrollment only after confirming the target model, prefix, audio source, and account quota/billing impact; use only audio you are authorized to clone.
The API key may authorize Model Studio operations and quota usage in the user's Alibaba Cloud account.
The skill needs Alibaba Cloud account credentials for the provider API. This is expected, but the supplied registry metadata lists no primary credential or required environment variable.
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Use a scoped or usage-limited key where possible, keep it out of shared logs and files, and remove or rotate it if exposed.
Local output files may disclose the sample URL, model choice, prefix, or response details to anyone who can access the project directory.
The skill deliberately persists request and response-related information locally, including the reference audio URL. This is purpose-aligned but can reveal voice-cloning context if the output directory is shared.
Save artifacts, command outputs, and API response summaries under `output/aliyun-cosyvoice-voice-clone/`. Include `target_model`, `prefix`, and sample URL in the evidence file.
Avoid using sensitive or private sample URLs, and delete or redact the output directory before sharing the workspace.