ClawHub

Aliyun Liveportrait

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill appears to be a straightforward Alibaba Cloud LivePortrait request-preparation helper, but users should notice that it relies on Alibaba credentials and public portrait/audio URLs.

This skill is reasonable to install if you intend to use Alibaba Cloud LivePortrait. Before using it, make sure you are comfortable providing Alibaba/DashScope credentials and public or provider-accessible URLs for portrait and audio files, and clean up the output directory if those URLs are sensitive.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse
Low
What this means

Using this skill may allow the agent to make requests against the user's Alibaba Cloud Model Studio account, potentially consuming quota or incurring costs.

Why it was flagged

The skill needs Alibaba Cloud provider credentials, which is expected for LivePortrait access, but the registry metadata declares no required credentials.

Skill content
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Recommendation

Use a least-privileged Alibaba/DashScope credential where possible, monitor usage, and avoid leaving unnecessary credentials available in the environment.

#ASI06: Memory and Context Poisoning
Low
What this means

Portrait and voice URLs may remain in local output files after the task and could be exposed if the workspace is shared or synced.

Why it was flagged

The skill intentionally persists request details, including links to portrait and audio inputs, which can contain personal or sensitive media.

Skill content
Save normalized request payloads, template choice, and task polling snapshots under `output/aliyun-liveportrait/`. Record the exact portrait/audio URLs
Recommendation

Use temporary or access-controlled media URLs when possible, review the output directory, and delete generated request/evidence files if they contain sensitive links.