Qwen Vision
Security checks across malware telemetry and agentic risk
Overview
This skill is a straightforward image-analysis client for Alibaba Cloud DashScope, but users should notice that selected images and an API key are sent to the provider.
This appears safe for its stated purpose. Before installing or using it, confirm you are comfortable sending chosen images to Alibaba Cloud DashScope and supplying a DashScope API key; avoid sensitive images and protect the key from command history, logs, or shared conversations.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A DashScope API key may allow paid API usage or account access within that provider's scope.
The skill relies on a DashScope provider credential and points to local configuration/env locations, while the registry metadata declares no required credential. This is expected for the integration but users should treat the key as sensitive.
Get your API key from:\n- `models.providers.bailian.apiKey` in `~/.openclaw/openclaw.json`\n- Or `skills."qwen-image".apiKey` in `~/.openclaw/openclaw.json`\n- Or `DASHSCOPE_API_KEY` environment variable
Use a dedicated, least-privileged DashScope key if available, avoid exposing it in shared logs or prompts, and verify the configured key is intended for this skill.
Any selected image, including documents, screenshots, or personal photos, will be sent to Alibaba Cloud DashScope for analysis.
The documentation explicitly states that image contents are transmitted to an external API. This is core to the skill's purpose, but it is still important privacy-relevant data flow.
- Images are encoded as base64 and sent via API
Only analyze images you are comfortable sending to DashScope, and avoid sensitive or regulated content unless your policy permits it.