Back to skill

Security audit

Aliyun Emoji

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Alibaba Cloud emoji-video helper that discloses its portrait URL, API key, and local output handling, with privacy cleanup guidance warranted.

Install only if you intend to process portrait images with Alibaba Cloud Model Studio. Use images you have permission to process, prefer a dedicated scoped API key, avoid sensitive or long-lived public portrait URLs, and delete or protect output/aliyun-emoji after the saved request evidence is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation describes network access to Alibaba Cloud APIs and writing artifacts under output/aliyun-emoji/, but it does not declare corresponding permissions. Undeclared capabilities reduce transparency and can bypass policy or reviewer expectations, making it harder to assess what the skill is allowed to do and increasing the chance of unsafe deployment.

Missing User Warnings

Low
Confidence
73% confidence
Finding
The skill instructs users to set DASHSCOPE_API_KEY in the environment or credentials file, but it does not warn against logging, committing, or broadly exposing those secrets. While this is standard operational guidance, the lack of secret-handling precautions can lead to accidental credential disclosure through shell history, output files, or source control.

Session Persistence

Medium
Category
Rogue Agent
Content
## Validation

```bash
mkdir -p output/aliyun-emoji
python -m py_compile skills/ai/video/aliyun-emoji/scripts/prepare_emoji_request.py && echo "py_compile_ok" > output/aliyun-emoji/validate.txt
```
Confidence
80% confidence
Finding
mkdir -p output/aliyun-emoji python -m py_compile skills/ai/video/aliyun-emoji/scripts/prepare_emoji_request.py && echo "py_compile_ok" > output/aliyun-emoji/validate.txt ``` Pass criteria: command e

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.