Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Aliyun Modelstudio Entry Test
v1.0.0Use when running a minimal test matrix for the Model Studio skills that exist in this repo, including image/video/audio, realtime speech, omni, visual reason...
⭐ 0· 36·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (minimal test matrix for Alibaba Model Studio skills) align with the runtime instructions: open sub-skill SKILL.md files, run one small request per capability, and save results. The required actions (SDK calls to Alibaba services) are expected for this purpose.
Instruction Scope
Instructions explicitly tell the operator/agent to read sub-skill SKILL.md files in the repo, run SDK calls, and write output/evidence under output/. They also instruct checking user intent/region and to include certain parameters in evidence files. Reading repo files and writing results is within scope; however the SKILL.md also references reading ~/.alibabacloud/credentials as an alternative auth source — that touches a user credential file outside the skill directory and should be handled carefully.
Install Mechanism
There is no install spec in registry metadata, but SKILL.md instructs creating a venv and running 'pip install dashscope'. Installing a third-party pip package at runtime is common for SDKs but carries moderate risk: the package origin/version is not pinned or proven here. Using an isolated venv is recommended (and the instructions suggest one).
Credentials
SKILL.md requires DASHSCOPE_API_KEY (or credentials stored in ~/.alibabacloud/credentials) to run, but the skill metadata lists no required env vars and no primary credential. This mismatch means the registry entry underreports credential needs. Requiring an Alibaba API key is proportionate to the stated goal, but the missing declaration is an important coherence/visibility issue.
Persistence & Privilege
The skill does not request always:true and is not requesting to modify other skills or system-wide settings. It is user-invocable and allows autonomous invocation by default (platform normal). No additional persistence or elevated privileges are requested by the manifest.
Scan Findings in Context
[NO_SCAN_FINDINGS] expected: The regex-based scanner had nothing to analyze because this is an instruction-only skill with no code files. That absence of findings is not evidence of safety; the SKILL.md itself contains notable instructions (installing dashscope and using DASHSCOPE_API_KEY).
What to consider before installing
Before installing or running this skill: 1) Treat the SKILL.md as authoritative — it requires installing a third-party Python package ('dashscope') and providing an Alibaba API key (DASHSCOPE_API_KEY or ~/.alibabacloud/credentials), but the registry metadata does not declare those env vars. 2) Use an isolated virtual environment as instructed, and consider reviewing the 'dashscope' package source or pinning a trusted release/version before pip installing. 3) Avoid putting long-lived or high-privilege credentials in the environment or in ~/.alibabacloud/credentials for testing; create a scoped test API key with minimal permissions and rotate/delete it after use. 4) Inspect each referenced sub-skill's SKILL.md (the test will open and execute those) so you understand additional auth needs or network endpoints. 5) When saving evidence/output, ensure you do not accidentally write secrets or full API responses containing sensitive data. If you want me to proceed with a deeper review, provide the contents of the referenced sub-skill SKILL.md files and/or the dashscope package origin/version.Like a lobster shell, security has layers — review code before you run it.
latestvk975awvqk9e4xk1d88xqq0vf3d841yd5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.