Alibabacloud Bailian Image Creator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This image-generation skill is mostly purpose-aligned, but it can automatically use your Alibaba Cloud CLI account to install a plugin and create or delete DashScope API keys.
Install only if you trust this skill with Alibaba Cloud account-level API-key management. Prefer a restricted RAM user or a manually provided DashScope key, verify the CLI plugin yourself, and avoid sending sensitive images unless Alibaba Cloud processing is acceptable.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running an image task could mutate your Alibaba Cloud account by creating or deleting API keys using credentials already configured on your machine.
The helper uses the current Alibaba Cloud CLI profile and can automatically create and delete DashScope API keys, which is account-level credential management rather than just image generation.
current = config.get("current", "default") ... ["aliyun", "modelstudio", "create-api-key", ...] ... _delete_cloud_api_key(orphan_id)Use a dedicated least-privilege RAM user or a pre-created DASHSCOPE_API_KEY, and do not allow automatic key creation/recycling unless you understand the account impact.
First use may change your local Alibaba Cloud CLI environment by downloading and enabling additional plugin code.
The skill can auto-install a CLI plugin at runtime, including a pre-release option, without a pinned version or install-spec disclosure.
["aliyun", "plugin", "install", "--names", "aliyun-cli-modelstudio", "--enable-pre"]
Install and verify the Alibaba Cloud ModelStudio plugin yourself from a trusted source, prefer pinned/stable versions, and require explicit approval before runtime installs.
Image generation can incur Alibaba Cloud charges without an interactive confirmation prompt in some agent environments.
The script asks for cost confirmation only in an interactive terminal; in a non-interactive agent runtime it proceeds directly to the paid API call.
if sys.stdin.isatty():
confirm = input("\nProceed with generation? (y/n): ") ... response = MultiModalConversation.call(Confirm expected costs before invoking the skill and consider adding an explicit approval step for paid API calls.
Images you ask the skill to edit or analyze may leave your machine and be processed by Alibaba Cloud.
For local image editing, selected local files are Base64-encoded and sent to the DashScope provider API, which is expected for this skill but sensitive if the images are private.
if img.startswith('file://'):
... processed_images.append(image_to_base64(local_path)) ... MultiModalConversation.call(api_key=api_key, model=model, messages=messages, ...)Use only images you are allowed and comfortable to upload to DashScope, especially for personal photos, documents, or confidential business images.