Aliyun Emoji
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Alibaba Cloud Emoji video helper, with expected notes about using provider credentials, public portrait URLs, and storing request evidence locally.
Install only if you intend to use Alibaba Cloud Model Studio Emoji with your own DashScope credentials. Use images you have permission to process, avoid sensitive long-lived public portrait URLs, and clean up output/aliyun-emoji/ if the saved request evidence is no longer needed.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using this skill may consume Alibaba Cloud account quota or incur charges through the configured API key.
The skill expects access to Alibaba Cloud/DashScope credentials, which is appropriate for the stated provider integration but is sensitive account authority and is not reflected in the registry credential declarations.
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Use a dedicated, scoped API key if possible, monitor provider usage, and avoid installing if you do not intend to grant Alibaba Cloud Model Studio access.
A portrait image URL supplied for generation may be accessible to Alibaba Cloud and potentially to anyone who can access the public URL.
The workflow requires a portrait image URL that can be accessed by the provider service, so the user's face image or its hosting URL crosses an external data boundary.
Input image must be a public HTTP/HTTPS URL.
Use only images you have permission to process, avoid long-lived public links for sensitive portraits, and review Alibaba Cloud's data handling terms.
Local output files may reveal which portrait was processed, the detected face region, the chosen template, and generation task details.
The skill intentionally keeps local evidence files containing portrait URLs and face-detection metadata. This is disclosed and useful for the workflow, but it creates retained sensitive metadata.
Save normalized request payloads, detected face boxes, selected template ID, and task polling snapshots under `output/aliyun-emoji/`. Record the exact portrait URL and whether detection passed.
Store outputs in an appropriate location, avoid sharing the output directory unintentionally, and delete these files when they are no longer needed.