v0.2.1

qwencloud-text

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 2:22 PM.

Analysis

The skill mostly matches Qwen text generation, but it under-declares its required API credential and includes an update-check helper that can prompt unpinned installs and run another skill's code.

GuidanceUse this skill only if you are comfortable providing a QwenCloud API key and sending prompts to QwenCloud or a configured compatible endpoint. Before running update-related commands, verify the source and version, and review any persistent CLAUDE.md or AGENTS.md changes.

Findings (8)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

references/api-guide.md

Workflow: **Define tools → Model returns tool call instruction → Execute tool → Send result back → Get final answer.**

The skill supports model function-calling workflows. The bundled script does not itself execute arbitrary local tools, but the guidance could lead an agent or user to execute model-requested functions without clearly stated approval or impact limits.

User impactIf connected to powerful tools, Qwen model tool-call suggestions could trigger actions beyond a simple chat response.

RecommendationUse function calling only with narrow, well-described tools and require user confirmation before any action that changes files, accounts, purchases, deployments, or other persistent state.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

scripts/gossamer.py

INSTALL_CMD = f"npx skills add {_SKILLS_REPO} --skill qwencloud-update-check -y"

The text skill bundles an update-check helper that prompts installation from an external repository via npx without a visible version pin. This is outside the core text-generation path and adds supply-chain dependency risk.

User impactA user may be prompted to install additional code from a remote source, and the command uses automatic confirmation.

RecommendationDo not run the suggested npx command unless you trust the source and have reviewed the exact version. Prefer pinned versions and documented provenance.

Unexpected Code Execution

SeverityMediumConfidenceHighStatusConcern

scripts/gossamer.py

proc = subprocess.run(
                    [sys.executable, str(script), "--print-response"],
                    capture_output=True, text=True, timeout=15,
                )

When an update-check skill is installed, this helper executes that other skill's Python script during the text skill's update-check flow. Running another component's code is not necessary for a basic text chat API call.

User impactUsing the text skill can trigger execution of an auxiliary update-check script if present, increasing the amount of local code that must be trusted.

RecommendationReview and trust the update-check skill before allowing it to be installed or used, and consider disabling update checks in environments that require minimal code execution.

Cascading Failures

SeverityLowConfidenceHighStatusNote

scripts/gossamer.py

skills = _read_installed_skills(repo)
    skill_args = " ".join(skills) if skills else ""
    return f"npx skills add {_SKILLS_REPO} --skill {skill_args} -y"

The update helper can build a command covering all installed qwencloud-* skills. A single update prompt could therefore affect multiple skills, although the artifact shows it is printed for the user rather than automatically executed.

User impactRunning the suggested update command may change more than just this text skill.

RecommendationBefore running any generated update command, check which skills it will update and back up or pin versions in sensitive projects.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

metadata

Required env vars: none
Env var declarations: none
Primary credential: none

The registry-facing requirements say no credential is needed, but the runtime script and skill instructions require a QwenCloud API key. This mismatch can cause users to underestimate credential and cost implications.

User impactA user may install the skill believing it needs no account access, then later be asked to configure a sensitive paid-service credential.

RecommendationThe publisher should declare the required API key and paid-service nature in metadata; users should review credential requirements before installation.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/text.py

DASHSCOPE_API_KEY  (required) API key — also loaded from .env file
  QWEN_API_KEY       (alternative) Alias for DASHSCOPE_API_KEY

The script requires a provider API credential, while the registry metadata declares no required env vars and no primary credential. This under-declares access to a third-party account credential that may authorize paid model usage.

User impactInstalling or using the skill may require a sensitive QwenCloud key and can consume account quota or incur costs despite the metadata saying no credential is required.

RecommendationTreat this as a credentialed paid-service skill. Use a scoped API key if available, store it only in trusted environment configuration, monitor usage, and ask the publisher to correct the credential declaration.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

references/agent-compatibility.md

**Ask the user before modifying any file.** Then append to their config:

```markdown
<!-- QWENCLOUD_SKILLS -->
## QwenCloud Skills

When a request matches a skill below, read its SKILL.md before responding.

The compatibility guide can persist skill-loading instructions into agent config files. It includes a user-approval guard and markers, but the resulting instructions can affect future sessions.

User impactFuture agent behavior may be changed by a persistent QwenCloud skills block in CLAUDE.md or AGENTS.md.

RecommendationApprove config changes only after reviewing the generated block and the listed sibling skills; remove the marked block if you no longer want this persistent behavior.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

scripts/qwencloud_lib.py

url = os.getenv("QWEN_BASE_URL")
...
if url:
            return url.rstrip("/")

The provider endpoint can be overridden entirely by an environment variable. This is useful for custom endpoints, but prompts and authorization headers may be sent to the configured URL.

User impactIf QWEN_BASE_URL is set incorrectly or maliciously in the environment, requests and API credentials could be directed away from the intended QwenCloud endpoint.

RecommendationUse the default endpoint unless you intentionally need an override, and verify QWEN_BASE_URL before running the skill in shared or untrusted environments.