Alibabacloud Bailian Video Creator
WarnAudited by ClawScan on May 14, 2026.
Overview
This is a coherent Alibaba DashScope video skill, but it should be reviewed because it can automatically use local Alibaba Cloud credentials to create/delete/store API keys and auto-install a CLI plugin at runtime.
Install only if you are comfortable with the skill using your Alibaba Cloud CLI profile or a DashScope API key. Safer use is to provide a least-privileged DASHSCOPE_API_KEY yourself, avoid automatic key creation/deletion, manually verify any CLI plugin installation, and confirm costs and media sensitivity before generating or analyzing videos.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or invoking the skill may let it use your Alibaba Cloud account profile to mint and persist API credentials, which can affect account security and future cloud usage.
The helper reads the local Alibaba Cloud CLI profile, stores DashScope API keys there, and can auto-create a new key instead of requiring a user-supplied API key.
Storage location: ~/.aliyun/config.json ... Priority: 1. Alibaba Cloud CLI config ~/.aliyun/config.json current profile's dashscope.api_key ... 3. Auto-create via Alibaba Cloud CLI and save
Prefer supplying a least-privileged DASHSCOPE_API_KEY yourself; avoid granting API-key creation/deletion permissions unless you explicitly want the skill to manage keys, and review/revoke generated keys after use.
A misconfiguration or unintended invocation could create or delete DashScope API keys in the connected Alibaba Cloud account.
The documented RAM policy grants cloud-account mutation authority for API key creation and deletion across resources, which is broader than simply calling a video generation API.
`modelstudio:ListWorkspaces`, `modelstudio:CreateApiKey`, `modelstudio:DeleteApiKey` ... `Resource`: `*`
Use the narrow custom policy only if automatic key management is required, do not use broad full-access policies casually, and confirm which workspace/profile the CLI is using before running the skill.
Runtime plugin installation can change the local Alibaba Cloud CLI environment and executes code that is not part of the reviewed skill package.
The skill may install an external Alibaba Cloud CLI plugin during runtime, including a pre-release flag, despite having no install specification declaring this setup step.
subprocess.run(["aliyun", "plugin", "install", "--names", "aliyun-cli-modelstudio", "--enable-pre"], ...)
Manually install and verify required Alibaba Cloud CLI plugins before use, or require the skill to ask for explicit approval before any runtime installation.
Generating videos may consume Alibaba Cloud quota or incur charges.
The skill creates remote video generation tasks under the user's API key and later prints an estimated cost, indicating billable cloud usage.
requests.post(f"{BASE_URL}/services/aigc/video-generation/video-synthesis", ...); ... print(f"Estimated cost: ¥{total_cost:.2f}")Ask the agent to show the final prompt, model, duration, resolution, and estimated cost before starting a generation task.
Alibaba Cloud may receive prompts, image/video/audio URLs, and related media content needed to perform the requested task.
Prompts and media URLs are sent to Alibaba Cloud DashScope, which is expected for this integration but is an important external data boundary.
This skill completes all video generation and content analysis tasks via the DashScope remote API
Do not submit confidential media or private URLs unless you are comfortable with DashScope processing them under your account and applicable policies.