Aliyun Qwen Asr
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to do what it says—transcribe user-selected audio with Alibaba DashScope—but it uses a DashScope API key and sends audio content to Alibaba Cloud.
Before installing, confirm you are comfortable sending the selected audio to Alibaba DashScope, use a dedicated API key, and keep generated transcript/API-response files private if they may contain sensitive speech.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Selected audio content is sent to Alibaba Cloud for processing, and transcripts or raw responses may be saved locally.
The helper can read a user-supplied local audio file, base64-encode it, and submit it to the stated Alibaba DashScope endpoint. This is expected for transcription, but the audio may contain sensitive speech.
ASR_SYNC_ENDPOINT = "https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions" ... b64 = base64.b64encode(path.read_bytes()).decode("ascii")Only transcribe files you intend to share with DashScope, and keep the output directory private if the audio or transcript is sensitive.
The helper may use the DashScope key from your environment or Alibaba Cloud credential profile, which can affect billing and account access.
The script can source a DashScope API key from local environment files or Alibaba Cloud credentials and then use it for provider API calls. This is purpose-aligned, but it is credential access that users should understand.
_load_dotenv(Path.cwd() / ".env") ... credentials_path = Path(os.path.expanduser("~/.alibabacloud/credentials")) ... os.environ["DASHSCOPE_API_KEY"] = keyUse a dedicated least-privilege DashScope API key, set the intended profile explicitly, and avoid placing unrelated secrets in project .env files.
It is harder to independently verify the origin or update history of the bundled helper script.
The skill does not declare an upstream source or homepage. The visible behavior is coherent and no external package install is required, but provenance is limited.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the bundled script and compare endpoints/options with Alibaba's official documentation before using it with sensitive audio or production credentials.