Back to skill

Security audit

Aliyun Qwen Tts Voice Design

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Alibaba Cloud Qwen TTS voice-design helper with expected API-key setup and no evidence of hidden execution, exfiltration, persistence, or destructive behavior.

Before installing, be comfortable using an Alibaba Cloud DashScope API key and store it securely: avoid committing credentials files, avoid printing the key in logs or screenshots, and prefer a least-privilege environment setup. Treat the region/resource workflow text as generic guidance and keep actual use scoped to voice prompt testing, synthesis requests, and local output files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill tells users to set `DASHSCOPE_API_KEY` or store `dashscope_api_key` in a credentials file, but it does not warn about protecting secrets, avoiding logs, or restricting file permissions. This increases the risk of accidental credential exposure through shell history, screenshots, shared environments, repository commits, or overly permissive credential files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.