Aliyun Qwen Image Edit
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears purpose-aligned for Alibaba Cloud Qwen image editing, but users should notice that it uses a DashScope API key, installs an SDK, and saves request/response evidence locally.
Before installing, make sure you are comfortable sending selected images and prompts to Alibaba Cloud Model Studio, use a dedicated DashScope API key, install the SDK in a virtual environment, and clean up local output files if the images or prompts are sensitive.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the SDK gives that package code execution in the virtual environment; a compromised or unexpected package version could affect the local environment.
The skill asks users to install an unpinned provider SDK from a package registry. This is expected for the Alibaba Cloud integration, but package provenance and version pinning are still user considerations.
python -m pip install dashscope
Install in the virtual environment as instructed, use a trusted package index, and consider pinning or locking the dashscope version for reproducibility.
The API key may allow model calls that process images and consume quota or incur costs on the associated Alibaba Cloud account.
The skill uses an Alibaba/DashScope credential for provider access. This is purpose-aligned, but the registry metadata declares no required env vars or primary credential.
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Use a dedicated least-privilege DashScope key where possible, avoid broad cloud credentials, and remove or rotate the key when no longer needed.
Prompts, image URLs, local paths, or response URLs may remain in the workspace and could be seen by later users, tools, or backups.
The helper writes the prompt and image reference into a local JSON request file. SKILL.md also instructs saving request payloads, result URLs, and a sample request/response pair.
"prompt": args.prompt,
"image": args.image,
...
out.write_text(json.dumps(req, ensure_ascii=False, indent=2), encoding="utf-8")Avoid including secrets in prompts or image URLs, store outputs in a private location, and delete generated evidence files after sensitive work.