Aliyun Qwen Generation
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a straightforward Alibaba Qwen text-generation helper with expected API-key, provider-call, package-install, and local-output considerations.
Install only if you intend to use Alibaba Cloud Model Studio Qwen models. Configure a scoped DashScope/API key, avoid sending sensitive data unless the provider terms fit your needs, and periodically review the generated files under `output/aliyun-qwen-generation/`.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may consume Alibaba Cloud API quota or incur costs under the configured account.
The skill requires a provider credential to access Alibaba Cloud Model Studio. This is expected for the stated purpose, but the credential can authorize API use and potential account charges.
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Use a scoped Model Studio API key where possible, avoid sharing it in prompts or logs, and verify account billing/quota settings.
Installing the SDK adds third-party code to the local Python environment.
The setup asks the user to install the provider SDK from a package index without pinning a version. This is normal for a provider integration, but it is still a supply-chain dependency.
python -m pip install dashscope
Install in the documented virtual environment, consider pinning or reviewing the `dashscope` package version, and use trusted package sources.
Prompt content and request parameters may be processed by Alibaba Cloud Model Studio.
The documented workflow sends chat messages to Alibaba Cloud's DashScope-compatible endpoint using the user's bearer token. This external provider communication is disclosed and purpose-aligned.
curl -sS https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions ... -H "Authorization: Bearer $DASHSCOPE_API_KEY" ... "messages"
Do not send secrets or regulated data unless your Alibaba Cloud account, region, and data-handling terms are appropriate for that use.
Generated request and response evidence may remain on disk after use.
The skill intentionally persists prompt and response artifacts locally. The path is scoped and disclosed, but those files may contain sensitive prompt content if the user includes it.
Save prompt templates, normalized request payloads, and response summaries under `output/aliyun-qwen-generation/`.
Review or clean the output directory if prompts include private information, and avoid committing generated outputs to shared repositories.