Aliyun Qwen Tts Voice Clone
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Alibaba Cloud voice-cloning skill, but users should protect their API key, voice samples, generated voice IDs, and local output files.
Install only if you are comfortable using Alibaba Cloud Model Studio for voice cloning. Use clean samples only with consent, keep the API key scoped and private, and protect or delete output files and saved voice IDs after the task.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changed or compromised dependency version could affect the local environment used for this skill.
The setup instructs the user to install the provider SDK from the package ecosystem without a pinned version. This is normal for an Alibaba Cloud integration, but package provenance and version drift are still worth noticing.
python -m pip install dashscope
Install in a virtual environment as instructed, and consider pinning the DashScope package version from a trusted source.
The agent may be able to use the configured Alibaba Cloud key for voice-cloning requests within that account's permissions.
The skill needs Alibaba Cloud credentials to call Model Studio. This is expected for the stated provider workflow, but it gives access to the user's Alibaba Cloud account/API quota.
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Use a dedicated, least-privilege API key where possible and avoid exposing shared or overly broad cloud credentials.
Stored voice IDs, request files, or evidence summaries may reveal voice-cloning activity and could enable future synthesis if reused with valid account access.
A generated voice_id can be a sensitive reusable handle for a cloned voice. The skill also saves artifacts and response summaries under output directories, so retention and reuse should be controlled.
Persist generated `voice_id` and reuse for future synthesis requests.
Store output files and voice IDs securely, delete them when no longer needed, and require explicit user approval before reusing a saved cloned voice.