Alibabacloud Video Forge
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears purpose-aligned for Alibaba Cloud video processing, but users should notice that it requires cloud credentials, cloud storage/media permissions, external uploads, and setup commands that install or update tools.
Before installing, make sure you are comfortable granting Alibaba Cloud OSS and MPS access to a dedicated least-privilege RAM identity. Verify the bucket, region, and output paths before running jobs, use dry-run for deletion, and be cautious with the documented CLI installer/plugin auto-update steps.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the configured Alibaba Cloud identity to process, list, upload, download, and optionally delete cloud video objects, and may incur cloud charges.
The skill needs Alibaba Cloud media-processing permissions and OSS object permissions, including delete/list access and MPS actions scoped to Resource "*" because of the provider's authorization model.
"Action": ["mts:SubmitJobs", ... "mts:QueryTemplateList"], "Resource": "*" ... "Action": ["oss:GetObject", "oss:PutObject", "oss:DeleteObject", "oss:ListObjects", "oss:GetBucketInfo"]
Use a dedicated RAM user or role with the minimum needed permissions, restrict OSS access to the intended bucket, and apply condition limits such as source IP or time window where practical.
Installing or updating CLI tools/plugins can change the local environment and execute code from external package sources.
The setup guidance includes executing a remote installer and enabling automatic plugin installation/updates. This is related to Aliyun CLI use, but it depends on external code and future plugin updates.
run `curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash` ... [MUST] run `aliyun configure set --auto-plugin-install true` ... [MUST] run `aliyun plugin update`
Prefer official package managers or verified downloads, review installer sources when possible, and run setup in a controlled environment such as a virtual machine or least-privileged user account.
A mistaken prefix or forced delete could remove multiple OSS objects from the configured bucket.
The OSS delete helper supports recursive prefix deletion and a force option that skips confirmation. The documentation also recommends dry-run preview, so this is disclosed and user-directed.
`--prefix` ... `--recursive` ... `--force` ... 强制删除,跳过确认提示(用于脚本自动化)
Use `--dry-run` before deletion, avoid `--force` unless automation is truly needed, and restrict the RAM identity to only the intended bucket or prefix where possible.
Private or sensitive videos processed with this skill will be uploaded to and analyzed by Alibaba Cloud services under the configured account.
The core workflow sends selected video files to Alibaba Cloud OSS/MPS and may generate moderation results and downloadable outputs. The destination is disclosed and aligned with the purpose.
Upload video to OSS storage ... Content moderation (pornography, violence, advertising, etc.) ... Get download links for processed videos
Only process videos you are allowed to upload to Alibaba Cloud, confirm the bucket/region, and follow your organization's data handling and retention requirements.
Future Aliyun CLI use may automatically install plugins or carry the configured user-agent behavior.
These are persistent Aliyun CLI configuration changes. They are disclosed setup steps and do not show hidden background execution, but they can affect later CLI behavior.
`aliyun configure set --auto-plugin-install true` ... `aliyun configure ai-mode enable` ... `aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-video-forge"`
Review Aliyun CLI configuration after use and disable automatic plugin installation if it is not desired for future sessions.