analyze video by qwen
ReviewAudited by ClawScan on May 10, 2026.
Overview
The video-analysis function matches its description, but the skill includes broad local Python and chmod command permissions that are wider than the documented analyzer command.
Use this skill only if you are comfortable sending the selected videos and prompts to DashScope/Qwen and using your DashScope API key. Before installing, consider narrowing or removing the .claude Bash allow rules, especially the unrestricted python3 and chmod permissions, and pin the dashscope dependency.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or a later prompt misuses this permission, it could run local Python code or change file permissions unrelated to analyzing a video.
These permissions are not limited to scripts/analyze.py or the skill directory. They could allow arbitrary python3 execution or chmod changes beyond the documented video-analysis workflow.
"allow": ["Bash(chmod:*)", "Bash(python3:*)"]
Remove the chmod allow rule unless needed, and scope Python permission to the exact analyzer command, such as running only scripts/analyze.py with user-provided arguments.
Analysis requests use the user's DashScope account and may consume quota or incur charges.
The script reads a DashScope API key from the user's OpenClaw config. This is expected for calling Qwen/DashScope, but it means the skill uses the user's provider credential.
api_key = config.get("skills", {}).get("dashscope", {}).get("apiKey")Use a dedicated DashScope key if possible, monitor usage, and avoid sharing ~/.openclaw/openclaw.json.
Local videos, remote video URLs, prompts, and resulting analysis may be processed by Aliyun DashScope/Qwen.
The selected video source and prompt are provided to the DashScope/Qwen API for analysis. This is the stated purpose, but it is an external provider data flow.
dashscope.base_http_api_url = "https://dashscope.aliyuncs.com/api/v1" ... MultiModalConversation.call(api_key=api_key, model='qwen3.5-plus', messages=messages)
Only analyze videos you are comfortable sending to the provider, and review DashScope's data handling terms for sensitive content.
Dependency changes could alter behavior or introduce vulnerabilities even if the current skill code is simple.
The dependency is not version-pinned, so a future manual install could resolve to a different package version than the author tested.
dashscope
Pin the dashscope version and install from a trusted package index before use.