Aliyun Videoretalk
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Alibaba Cloud VideoRetalk helper; it uses expected provider credentials/API calls and stores selected media URLs locally, with no hidden or suspicious code found.
Install/use this only if you are comfortable sending the selected public video/audio URLs to Alibaba Cloud and using a DashScope API key. Review generated files under output/aliyun-videoretalk/ before sharing or committing them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Selected video/audio URLs and job parameters may be sent to Alibaba Cloud, and task submission may consume provider quota or incur charges.
The skill instructs the agent to use scoped Alibaba Cloud provider API calls. This is disclosed and central to the purpose, but it is still an external action users should notice.
Submit task: `POST https://dashscope.aliyuncs.com/api/v1/services/aigc/image2video/video-synthesis/`; Poll task: `GET https://dashscope.aliyuncs.com/api/v1/tasks/{task_id}`Confirm the exact media URLs, region, and expected cost before submitting a task; only use media links you intend to share with Alibaba Cloud.
The agent may use your Alibaba Cloud credential to access DashScope VideoRetalk and create tasks under your account.
The skill uses Alibaba Cloud account credentials for its provider integration. That is expected for this purpose, though it is not reflected in the registry credential metadata.
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Use a least-privileged API key where possible, keep it out of shared logs, and confirm provider usage before running tasks.
If the output directory is shared, committed, or reused, others may see private media URLs or task details.
The skill intentionally persists job evidence locally, including exact media URLs and task snapshots. This is disclosed and scoped, but those records can be sensitive.
Save normalized request payloads, target face selection settings, and task polling snapshots under `output/aliyun-videoretalk/`. Record the exact video/audio input URLs
Keep the output directory private, avoid committing generated files, and delete snapshots when they are no longer needed.