Alibabacloud Video Translation
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears aligned with Alibaba Cloud video translation, but it needs review because it uses local Aliyun credentials, uploads video data, and changes Aliyun CLI plugin settings that are not declared in the registry metadata.
Install only if you intend to use Alibaba Cloud IMS/OSS. Before running it, confirm the active Aliyun profile/account, use a least-privilege RAM policy, review any auto-plugin-install change, and verify the OSS bucket and signed-link settings for sensitive videos.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the active Aliyun profile is broad or the wrong account, the agent could submit cloud jobs, incur costs, and read or write video objects in that account.
This hard-gate shows the skill expects to use the user's configured Aliyun credential profile, even though registry metadata declares no primary credential. Those credentials are then used for cloud translation and OSS operations.
Credential status | `aliyun configure list` | Valid status | STOP, guide configuration
Declare the Aliyun credential requirement in metadata, require explicit profile/account confirmation, and recommend a least-privilege RAM user scoped to the intended buckets and region.
This can persistently change local CLI behavior and cause future Aliyun CLI plugin downloads without a separate install review.
The agent is instructed to automatically change Aliyun CLI configuration so plugins can be installed automatically, but the registry has no install spec or required binary declaration.
Plugin installation | `aliyun configure set --auto-plugin-install true` | Set | Auto-set
Ask the user before enabling auto-plugin-install, document the persistent change, and declare Aliyun CLI/plugin requirements in the skill metadata or install spec.
A malformed generated command could be sent to Alibaba Cloud rather than being caught locally by the CLI plugin.
The command templates intentionally bypass CLI plugin parameter validation for some job submissions. This is documented and purpose-aligned, but it reduces a safety check before cloud API calls.
Add `--force` to skip plugin parameter validation
Use `--force` only when necessary, keep the blocking user confirmations, and show the final command parameters before submitting jobs.
Private or sensitive video content may be stored and processed in Alibaba Cloud, and outputs may later be shared through OSS URLs.
The skill uploads local video files to Alibaba OSS for processing. This is central to the stated purpose and asks for an OSS path, but it moves potentially private media to a cloud provider.
Local video ... AskUserQuestion: "Please provide OSS upload path" ... Upload file: aliyun oss cp <local_path> <oss_path>
Upload only intended files, verify bucket access controls, use short-lived signed URLs when sharing results, and avoid public buckets for sensitive media.