Aliyun Qwen Ocr
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a coherent Alibaba Qwen OCR helper, but users should notice that OCR inputs may be prepared for Alibaba Cloud, API credentials are expected, and request payloads can be saved locally.
This skill appears safe for its stated OCR purpose. Before using it, confirm that your documents can be processed by Alibaba Cloud, use a limited DashScope API key, and be aware that request JSON files may contain sensitive image references or embedded data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing Python packages can add third-party code to the user's environment.
The skill documents a user-directed package install outside an install spec. It is not automatic and is common provider setup, but it is still a supply-chain dependency users should install carefully.
python3 -m venv .venv . .venv/bin/activate python -m pip install requests
Use a virtual environment, install from trusted package indexes, and pin or review dependencies if using this in a sensitive environment.
Using this skill with a real API key may consume Alibaba Cloud quota or grant access according to that key's permissions.
The skill expects Alibaba Cloud credentials for provider access. This is purpose-aligned for Qwen OCR, but the registry metadata says no required credentials, so users should notice the account authority involved.
Set `DASHSCOPE_API_KEY` in environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Use a dedicated, least-privilege API key, keep it out of prompts and saved files, and verify billing/quota settings.
Documents, image URLs, prompts, or base64 image data used for OCR may be processed by Alibaba Cloud if the request is submitted.
The documented workflow targets Alibaba Cloud DashScope endpoints. Sending selected images or prompts to that provider is expected for OCR, but it crosses a data boundary.
Domestic: `https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions` International: `https://dashscope-intl.aliyuncs.com/compatible-mode/v1/chat/completions` Global (Virginia): `https://dashscope-us.aliyuncs.com/compatible-mode/v1/chat/completions`
Only process documents that are allowed to be shared with Alibaba Cloud, and choose the appropriate regional endpoint and data-handling policy.
Sensitive OCR inputs may be retained in `output/aliyun-qwen-ocr/request.json` or another chosen output file.
The script persists the full generated request payload locally. Because the payload includes the image source and optional prompt/task configuration, sensitive URLs, data URLs, or extraction instructions may remain on disk.
output.write_text(json.dumps(payload, ensure_ascii=False, indent=2), encoding="utf-8")
Store outputs in an appropriate directory, avoid data URLs for highly sensitive images when persistence is not desired, and delete request files when no longer needed.