Aliyun Qwen Coder
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a coherent Qwen Coder provider helper, with expected notes around installing the provider SDK, using an Alibaba Cloud API key, and saving local prompt/request artifacts.
This skill appears safe for its stated purpose. Before installing, use a virtual environment, protect your DASHSCOPE_API_KEY, avoid sending secrets or unnecessary files to the model, and periodically review the local output directory for sensitive prompt or repository data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing an unpinned package can change behavior over time depending on the latest package version available from pip.
The skill asks the user to install the Alibaba Cloud SDK from pip without pinning a version. This is purpose-aligned provider setup, but users should notice the external dependency.
python -m pip install dashscope
Install in the recommended virtual environment and consider pinning a reviewed dashscope version for reproducible use.
Anyone using the skill with this credential may be able to make requests against the associated Alibaba Cloud account, which could expose submitted prompts and incur costs.
The skill requires an Alibaba Cloud Model Studio credential for provider access. This is expected for the stated purpose and no credential logging or unrelated transmission is shown.
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Use a dedicated, least-privilege API key where possible and avoid placing sensitive credentials in shared environments.
Sensitive repository information included in prompts or summaries may remain on disk in the output directory.
The skill intentionally persists prompt and repository-context artifacts locally. This is disclosed and scoped, but those files may contain private code or project details.
Save prompts, repository context summaries, and normalized coding request payloads under `output/aliyun-qwen-coder/`.
Review or clean the output directory when working with private code, secrets, or confidential repository context.