ClawHub
Back to skill
v1.0.0

Alibaba Ai Video Wan Video

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:33 AM.

Analysis

The skill mostly matches Alibaba video generation, but its scripts contain a hardcoded DashScope API key that can be used silently, so it should be reviewed before installation.

GuidanceReview or remove the hardcoded API key before installing. Use your own DASHSCOPE_API_KEY with clear billing expectations, understand that prompts are sent to Alibaba Cloud, choose output paths carefully, and do not rely on the advertised image-to-video or digital-human scripts unless reviewed copies are provided.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/wanx-video.sh
curl -s -X POST "$ENDPOINT" ... -H "Authorization: Bearer $API_KEY" ... -d "$REQUEST_DATA"

The script sends the user prompt and generation parameters to Alibaba DashScope and later downloads the returned video to the requested output path; this is purpose-aligned but is still an external API and local file-write workflow.

User impactPrompts sent to the service may leave the local environment, may incur provider charges, and the output file path should be chosen carefully.
RecommendationUse only prompts and source material you are comfortable sending to Alibaba Cloud, and confirm the output path before running the script.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
{baseDir}/scripts/wanx-i2v.sh ... {baseDir}/scripts/wanx-digital-human.sh

SKILL.md references helper scripts for image-to-video and digital-human workflows, but the provided manifest includes only scripts/generate-video.sh and scripts/wanx-video.sh.

User impactSome advertised features may fail or may require obtaining additional, unreviewed helper code.
RecommendationShip the referenced scripts with the skill or remove those examples; review any additional helper scripts before use.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
scripts/wanx-video.sh
API_KEY="${DASHSCOPE_API_KEY:-sk-96743...}"

The main script silently uses an embedded DashScope API key when the required user environment variable is missing, so API calls may run under an undisclosed credential rather than the user's configured account.

User impactVideo-generation requests and prompts could be submitted using an embedded credential with unclear owner, quota, logging, and billing implications.
RecommendationRemove the hardcoded key, require DASHSCOPE_API_KEY to be set, and document the required credential scope and billing expectations.