Aliyun Qwen Multimodal Embedding
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a straightforward Alibaba Cloud embedding helper; it discloses provider credential and data-flow needs, and the reviewed code only writes a request JSON locally.
This skill appears safe for its stated purpose. Before using it, configure only the Alibaba/DashScope credentials you intend to use, submit only content you are comfortable sending to the provider, and clean up generated output files if they contain sensitive inputs or media references.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
It may be harder to independently verify the publisher or upstream project.
The package has limited provenance metadata. Because there is no install spec, no dependency download, and the included script is small and reviewable, this is a notice rather than a concern.
Source: unknown Homepage: none
Review the included files and confirm the publisher before using it in production workflows.
Using the skill with a real API key may allow model calls and billing on the configured Alibaba Cloud account.
The skill relies on Alibaba Cloud/DashScope credentials for its stated provider integration. This is purpose-aligned, but the registry metadata does not declare a required credential.
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Use a scoped key, avoid pasting credentials into prompts or logs, and configure credentials only when you intend to call Alibaba Model Studio.
Private media or text could be processed by an external provider if selected for embedding.
The workflow may send selected text, image, or video references to Alibaba Model Studio or a client upload layer. This is expected for multimodal embedding, but it is an external data flow.
`images` (array<string>, optional): public URLs or local paths uploaded by your client layer - `videos` (array<string>, optional): public URLs where supported
Only submit intended content, prefer private or expiring object-storage URLs, and review the provider's data-handling policy for sensitive inputs.
Sensitive prompts, media URLs, or local path names may remain on disk after use.
The skill intentionally persists request payloads and sample input references to local output files. This is useful for reproducibility but may retain sensitive text or file/URL references.
Save normalized request payloads, selected dimensions, and sample input references under `output/aliyun-qwen-multimodal-embedding/`.
Avoid including secrets in embedding inputs and delete or protect generated output files when they contain private data.