Back to skill

Security audit

千问文生图

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill tells an agent how to generate images through Alibaba DashScope/Qwen, with the external API use and API key requirement clearly tied to that purpose.

Install this if you want your agent to use Alibaba DashScope/Qwen for image generation. Avoid putting sensitive or confidential information in prompts unless you are comfortable sending it to DashScope, and monitor API key use for quota or billing impact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description is broad enough to trigger on ordinary requests about images, drawing, text-to-image, or mentions of Qwen/Alibaba Cloud, which can cause over-invocation of this skill outside narrowly intended contexts. In an agent system, overly broad routing can unexpectedly send user prompts and generated content requests to an external provider, increasing privacy, cost, and policy-enforcement risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.