Aliyun Cosyvoice Voice Design
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a coherent Alibaba Cloud CosyVoice request helper, with expected but under-declared use of an Alibaba/DashScope API credential.
This appears safe for its stated purpose. Before using it with Alibaba Cloud, confirm you intend to create a CosyVoice custom voice, use an appropriately scoped API key, and review any saved output files because they may include the voice prompt and preview text you provided.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill for real API calls may consume Alibaba Cloud account access and create a custom voice resource tied to that account.
The skill may rely on an Alibaba/DashScope API key or local Alibaba Cloud credential profile, although the registry metadata lists no required credential. This is purpose-aligned for calling Alibaba Cloud Model Studio, and the artifacts do not show credential logging, exfiltration, or unrelated use.
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Use a scoped Alibaba/DashScope API key where possible, verify the intended endpoint and target_model before making API calls, and avoid placing secrets in prompts or saved evidence files.