Aliyun Wan R2v
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a coherent Alibaba Cloud video-generation helper, but users should notice it requires cloud credentials, installs an SDK, may send reference media to Alibaba Cloud, and saves request/output files locally.
This appears safe to install for Alibaba Cloud Wan R2V workflows. Before using it, install the SDK in a virtual environment, use an appropriately scoped DashScope/API key, confirm any cloud costs, and avoid uploading or retaining sensitive reference media unless you intend to.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The installed SDK version may change over time, which can affect behavior or compatibility.
The skill asks the user to install an external SDK, which is normal for this provider integration, but the package version is not pinned.
python -m pip install dashscope
Install in the suggested virtual environment and consider pinning or reviewing the dashscope package version for repeatable use.
Using this skill can access the configured Alibaba Cloud account and may incur provider usage costs.
The skill uses Alibaba Cloud credentials for the stated provider workflow. This is expected, and the artifacts do not show hardcoded keys, logging, or unrelated credential use.
Set `DASHSCOPE_API_KEY` in your environment, or add `dashscope_api_key` to `~/.alibabacloud/credentials`.
Use a scoped API key where possible, avoid sharing credentials in prompts or output files, and confirm the intended account before generating videos.
Reference videos/images and prompts may be processed by Alibaba Cloud as part of the requested generation task.
The skill's core workflow requires reference media for cloud video generation. This is purpose-aligned, but it means user-selected media may be provided to the external Alibaba Cloud service.
`reference_video` (string | bytes, required)
Only use reference media you are allowed to upload and avoid sensitive/private content unless you are comfortable with the provider handling it.
Local output folders may retain details about generated videos and reference material after the task completes.
The skill explicitly persists local evidence files. This is useful for auditability, but those files may contain prompts, media references, request IDs, or task outputs.
Save reference input metadata, request payloads, and task outputs in `output/aliyun-wan-r2v/`.
Review or delete generated output files if they contain sensitive prompts, media URLs, or provider task identifiers.