Aliyun Emo
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears benign and purpose-aligned, but it involves Alibaba Cloud credentials and public media URLs that users should handle carefully.
Before installing, confirm you are comfortable using an Alibaba Cloud API key and hosting the portrait image and speech audio at public or provider-accessible URLs. Prefer limited credentials, temporary URLs, non-sensitive media, and clean up generated output files when finished.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill for real EMO requests may authorize actions against the user’s Alibaba Cloud account.
The skill may rely on an Alibaba Cloud API key or credential profile even though the registry metadata declares no required credential. This is expected for the stated provider workflow, but users should be aware account authority and possible cloud charges are involved.
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Use a limited-purpose API key, avoid exposing it in prompts or logs, monitor provider usage, and declare the credential requirement in metadata if publishing the skill.
Images, audio, generated task data, or URLs may be accessible to Alibaba Cloud and possibly anyone who can access the public URLs.
The workflow requires the portrait image and speech audio to be reachable by URL for provider processing. This data flow is disclosed and purpose-aligned, but portrait and voice data can be sensitive.
Input files must be public HTTP/HTTPS URLs.
Use temporary or signed URLs where possible, avoid highly sensitive media, delete public objects after processing, and review Alibaba Cloud’s data handling terms.