Alibaba Cloud Model Setup
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The configured API key may allow OpenClaw to make paid or account-bound model requests to Alibaba Cloud.
The skill explicitly collects and stores an Alibaba/DashScope API key. This is expected for configuring a provider, but it is sensitive account authority.
Run interactive script to collect:\n - API key (with validation)\n - API key storage mode (env-var recommended or inline)
Use the least-privileged API key available, prefer environment-variable storage over inline config, and avoid sharing the generated config file.
Future OpenClaw requests may be routed to Alibaba Cloud models, potentially affecting cost, privacy, and model behavior.
The skill modifies local OpenClaw configuration and can update model defaults. This is the intended function, and the artifacts describe backups and validation.
Backup existing config before modification\n6. **Update config** with provider, models, and defaults
Confirm the selected site, model, and default-provider setting before approving the config write; keep the timestamped backup until the setup is verified.
If used, the API key may remain available in future shell sessions or a user-level OpenClaw service until manually removed.
The script includes optional persistence mechanisms for the API key environment variable and can restart a user service. The flags are explicit and purpose-aligned, but they create lasting local environment changes.
--persist-env-shell ... "Write export line to shell profile (default ~/.bashrc)" ... --persist-env-systemd ... "Write env var to systemd user override and restart service"
Only enable shell or systemd persistence if you need it; know where the key is written and how to remove it later.