Alibabacloud Bailian Voice Creator
WarnAudited by ClawScan on May 10, 2026.
Overview
The voice features are legitimate, but the skill can automatically use your Alibaba Cloud CLI profile to install a plugin and create/store DashScope API keys.
Review this skill before installing. Prefer manually setting DASHSCOPE_API_KEY, use a dedicated least-privilege Alibaba Cloud RAM user, disable or avoid automatic plugin installation if possible, and monitor/revoke any API keys the skill creates.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill may create a long-lived API key in your Alibaba Cloud account and use it for paid DashScope calls, even if you expected only local speech processing.
The helper uses local cloud credential/config state and can create and persist a new DashScope API key if none is found, which is high-impact account and credential authority for a voice-processing skill.
Priority: 1. Alibaba Cloud CLI config ~/.aliyun/config.json current profile's dashscope.api_key; 2. Environment variable DASHSCOPE_API_KEY; 3. Auto-create via Alibaba Cloud CLI and save to config
Require explicit user confirmation before creating or deleting API keys, show the Alibaba profile/region/workspace/action, declare the credential and config-path requirements, and prefer a user-provided DASHSCOPE_API_KEY or a dedicated least-privilege RAM user.
A first use of the skill may modify your local Alibaba Cloud CLI installation and run newly installed plugin code outside the reviewed skill files.
The code can auto-install a pre-release Alibaba Cloud CLI plugin at runtime if the plugin is missing, without a pinned version or explicit install specification in the registry artifacts.
subprocess.run(["aliyun", "plugin", "install", "--names", "aliyun-cli-modelstudio", "--enable-pre"], ...)
Make the plugin an explicit prerequisite or install step, remove automatic pre-release installation by default, pin or verify the plugin version/source, and ask for user approval before installing anything.
Audio URLs, text for synthesis, and recognition/synthesis metadata may be sent to Alibaba Cloud as part of normal operation.
The ASR flow sends the user-provided audio URL and API key to Alibaba Cloud DashScope; this is expected for the stated service, but users should know their content is processed by an external provider.
requests.post('https://dashscope.aliyuncs.com/api/v1/services/audio/asr/transcription', headers={'Authorization': f'Bearer {api_key}'}, json={'model': 'qwen3-asr-flash', 'input': {'file_url': file_url}})Only submit audio/text you are allowed to process with Alibaba Cloud, avoid sensitive public URLs unless intended, and review DashScope data handling and billing terms.