Aliyun Modelstudio Entry
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent instruction-only router for Alibaba Cloud Model Studio, with expected notes around SDK installation, DashScope credentials, target-skill handoffs, and local output files.
Install this only if you intend to use Alibaba Cloud Model Studio. Use a virtual environment, protect your DashScope API key, approve any new-skill creation explicitly, review the target sub-skill before high-impact actions, and clean local output files if they contain sensitive data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent might move from routing a request into modifying local skill files if a requested capability is unavailable.
Unsupported requests are directed toward creating a new local skill, which can change the agent's available behavior. This is purpose-adjacent for a routing repo, but should not happen without explicit user approval.
- If capability is missing in repo, add a new skill first.
Require clear user confirmation before creating or modifying any local skill, and review the new skill before using it.
Using this skill may allow Alibaba Model Studio API calls under the user's account and could incur usage or expose provider-accessible inputs.
The skill expects Alibaba Cloud/DashScope credentials for provider API calls. This is aligned with the stated purpose, but it is worth noticing because the registry metadata lists no required credential.
Configure `DASHSCOPE_API_KEY` (environment variable preferred; or `dashscope_api_key` in `~/.alibabacloud/credentials`).
Use a least-privilege API key, avoid sharing it in prompts or files, and revoke or rotate it when no longer needed.
Installing an unpinned package can result in different code being installed over time.
The setup instructions install the provider SDK without a pinned version. This is user-directed and central to the skill's purpose, but package provenance and version drift remain a normal supply-chain consideration.
python -m pip install dashscope
Install from a trusted package index, use the recommended virtual environment, and consider pinning a known-good dashscope version.
Prompts, parameters, identifiers, result URLs, or response summaries may remain on disk after the task.
The skill creates persistent local evidence files that may include request parameters or response summaries. This is disclosed and useful for reproducibility, but those files may contain sensitive task details.
Save artifacts, command outputs, and API response summaries under `output/aliyun-modelstudio-entry/`.
Review saved output files before sharing the workspace and delete or redact them if they contain sensitive information.