Back to skill

Security audit

Alibabacloud Bailian Voice Creator

Security checks across malware telemetry and agentic risk

Overview

The skill provides Alibaba Cloud voice features, but normal use can automatically install a CLI plugin and create/store cloud API keys without a clear opt-in step.

Review before installing. Prefer setting `DASHSCOPE_API_KEY` manually with least-privilege permissions, avoid granting full Bailian access unless truly needed, and assume audio/text sent through this skill will be processed by Alibaba Cloud. Be aware that first use may modify your Alibaba Cloud CLI setup and create a real API key that can incur charges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Auto-install ModelStudio plugin if missing."""
    try:
        print("正在自动安装 ModelStudio 插件...", file=sys.stderr)
        result = subprocess.run(
            ["aliyun", "plugin", "install",
             "--names", "aliyun-cli-modelstudio", "--enable-pre"],
            capture_output=True,
Confidence
85% confidence
Finding
result = subprocess.run( ["aliyun", "plugin", "install", "--names", "aliyun-cli-modelstudio", "--enable-pre"], capture_output=True, text=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
workspace_id = _get_workspace_id()

    try:
        result = subprocess.run(
            ["aliyun", "modelstudio", "create-api-key",
             "--region", "cn-beijing",
             "--workspace-id", workspace_id,
Confidence
83% confidence
Finding
result = subprocess.run( ["aliyun", "modelstudio", "create-api-key", "--region", "cn-beijing", "--workspace-id", workspace_id, "--description

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module description presents the code as local key management and validation, but the implementation also installs plugins and creates/deletes remote cloud API keys. This mismatch can mislead reviewers and users about the true privileges and side effects, increasing the chance of unsafe execution in an agent environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
If no key is found, the code automatically creates a new cloud API key and persists it locally without explicit user confirmation. In an agent skill, silent credential provisioning is dangerous because it changes cloud account state, expands access, and may create secrets the user never intended to exist.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The skill sends user-provided audio URLs and resulting audio content to a third-party ASR service without any explicit privacy notice, consent prompt, or data-handling disclosure. In a voice-processing skill, this increases the risk of unintentionally transmitting sensitive spoken content, especially because long-audio mode requires a publicly accessible file URL.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.