Back to skill

Security audit

Alibabacloud Bailian Video Creator

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it can automatically create persistent Alibaba Cloud API keys and install a CLI plugin during normal use, so it needs careful review before installation.

Install only if you are comfortable with a cloud-backed video skill that can send prompts and media URLs to Alibaba Cloud DashScope and may incur billing. Prefer supplying a manually created, limited DASHSCOPE_API_KEY, install the Alibaba CLI ModelStudio plugin yourself instead of relying on runtime auto-installation, and avoid granting the skill broad Alibaba Cloud account permissions unless you explicitly want automatic API-key creation and deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (23)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Auto-install the ModelStudio plugin."""
    try:
        print("Auto-installing ModelStudio plugin...", file=sys.stderr)
        result = subprocess.run(
            ["aliyun", "plugin", "install",
             "--names", "aliyun-cli-modelstudio", "--enable-pre"],
            capture_output=True,
Confidence
94% confidence
Finding
result = subprocess.run( ["aliyun", "plugin", "install", "--names", "aliyun-cli-modelstudio", "--enable-pre"], capture_output=True, text=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
workspace_id = _get_workspace_id()

    try:
        result = subprocess.run(
            ["aliyun", "modelstudio", "create-api-key",
             "--region", "cn-beijing",
             "--workspace-id", workspace_id,
Confidence
96% confidence
Finding
result = subprocess.run( ["aliyun", "modelstudio", "create-api-key", "--region", "cn-beijing", "--workspace-id", workspace_id, "--description

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module documentation states it handles API key management and storage, but the code also auto-installs a CLI plugin. In an agent setting, misleading docs hide system-modifying side effects, reducing informed consent and making risky behavior harder to detect or review.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
`get_api_key()` sounds like a read-only accessor, but it can create a new cloud API key and persist it locally. That hidden side effect is dangerous because callers may invoke it assuming simple retrieval while actually provisioning durable credentials on the user's account.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill fetches an API key and performs authenticated outbound requests without any manifest, capability declaration, or visible user-consent flow establishing that such networked access is expected. In an agent-skill setting, undeclared authenticated egress increases the risk of covert data transfer, misuse of account-scoped credentials, and operation outside the user's security expectations.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code transmits user-supplied prompts and video URLs to a third-party endpoint, but there is no manifest-declared purpose or authorization metadata describing that external sharing. Even if the business purpose is legitimate video editing, silent transfer of user content to an external AI provider is a privacy and governance issue in agent environments.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill is framed broadly for generic video generation, editing, and analysis requests, with no meaningful scoping limits, safety boundaries, or explicit exclusions for sensitive content. Broad routing increases the chance the agent will invoke this skill in contexts where users did not expect remote upload, credential use, billing, or environment changes.

Missing User Warnings

High
Confidence
96% confidence
Finding
The metadata states that first run may automatically create/recycle DashScope API keys and install an Alibaba Cloud CLI plugin, which are credential and environment modifications with security implications. Performing such actions without a prominent upfront consent step can change a user's cloud account state and local tooling unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly instructs users to send video content and prompts to third-party DashScope endpoints, but it does not warn that uploaded media, prompts, and derived metadata leave the local environment and may contain sensitive or regulated data. In a skill context, this omission can cause accidental privacy, compliance, or data-governance violations when users assume examples are safe to use with real internal content.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The examples use DASHSCOPE_API_KEY in shell commands and SDK calls without warning about secret handling, which can lead users to expose credentials in shell history, screenshots, CI logs, notebooks, or shared terminals. While the example does not hardcode a real key, the missing guidance increases the chance of credential leakage during normal use.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code attempts to auto-install the ModelStudio plugin if it is missing, without any explicit user confirmation. In a skill/agent context, silent installation is risky because it modifies the system and introduces supply-chain exposure through a network-installed dependency.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
During a nominal key retrieval flow, the function may create a cloud API key and store it in `~/.aliyun/config.json` automatically. This creates persistent credentials without an explicit provisioning step, which is especially dangerous for agent-executed code because it can silently expand access and leave long-lived secrets behind.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill sends user-provided prompts and media URLs to a third-party cloud API without an explicit consent or privacy warning. In this skill context, prompts, image URLs, and audio URLs may contain sensitive or private content, so silent transmission can cause unintended data disclosure to the external service and its logs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function sends user-supplied image and optional audio URLs to DashScope's remote video-generation service, but the code provides no explicit warning, consent step, or documentation that these inputs will be shared with a third party. In a skill context, users may reasonably assume local processing, so this can cause unintended disclosure of sensitive media references or associated data to an external provider.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function transmits user-supplied prompt text and reference media URLs to a third-party video-generation service without an explicit privacy or data-disclosure warning. In this skill context, prompts and URLs may contain sensitive business, personal, or proprietary media references, so silent external transmission can cause unintended data exposure even though the network destination is fixed.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The code hard-codes a Beijing-region endpoint, which can create compliance, data residency, and privacy risks if users are unaware their content and metadata are being processed in that locale. In a media-generation skill that uploads references and prompts, region selection materially affects legal and organizational handling requirements, making the fixed region more security-relevant than a mere configuration preference.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The function transmits the user-supplied prompt to an external cloud video-generation service without an explicit consent or privacy warning at the point of collection/use. If users include sensitive, proprietary, or regulated data in prompts, the skill may unintentionally exfiltrate that data to a third party and create compliance/privacy issues.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends a user-provided video URL to an external API without any explicit warning that third-party processing will occur. Video URLs can embed sensitive or access-controlled content, and disclosure to an external processor may expose personal, proprietary, or tokenized resources beyond the user's expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function sends user-provided prompt text, video URL, and mask image URL to a third-party cloud API, but the skill does not provide any explicit notice, consent flow, or privacy warning to the user. In a skill context, this can lead to unintentional disclosure of sensitive media, internal URLs, or confidential prompts to an external provider, which is especially relevant because the tool is designed to process potentially private video content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function sends a user-supplied video URL and prompt to Alibaba DashScope's external multimodal API, which can expose sensitive content, internal URLs, or proprietary prompts to a third party without any explicit user consent or warning. In an agent-skill context, this is more dangerous because callers may assume local processing while the skill actually transfers potentially sensitive data off-platform.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
## Usage Examples

Run any script directly to see detailed parameter descriptions (`python scripts/<script_name>.py`).

| Feature | Script | Key Parameters |
|---------|--------|---------------|
Confidence
80% confidence
Finding
Run any script

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
brew install ffmpeg

# Ubuntu/Debian
sudo apt update && sudo apt install ffmpeg

# Windows (Chocolatey)
choco install ffmpeg
Confidence
91% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
brew install ffmpeg

# Ubuntu/Debian
sudo apt update && sudo apt install ffmpeg

# Windows (Chocolatey)
choco install ffmpeg
Confidence
91% confidence
Finding
sudo

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.