ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Qwen Code

Run Alibaba Cloud Qwen Code CLI via background process for task execution, code review, and automation.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 378 · 0 current installs · 0 all-time installs
by@UserB1ank
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and SKILL.md: this is a wrapper around the Qwen Code CLI and the scripts call the qwen binary to run tasks, review code, and run headless jobs. Requiring the qwen binary (anyBins) is appropriate.
!
Instruction Scope
SKILL.md and the shipped scripts instruct the agent to run the qwen CLI on arbitrary prompts and to read local files (e.g., file contents are embedded into prompts for review). Headless examples and scripts read project files and git diffs and then call qwen, which transmits content to Alibaba Cloud services — this is expected for a code-review tool but is a sensitive action (possible data exfiltration of source code). The README and examples also instruct use of an API key env var (DASHSCOPE_API_KEY) while the script checks for BAILIAN_CODING_PLAN_API_KEY inside ~/.qwen/settings.json — inconsistent naming and unclear provenance of required credentials.
Install Mechanism
There is no automated installer in the skill bundle (instruction-only install spec). Examples tell users to npm install the official qwen CLI. No downloads from untrusted URLs or archive extraction are present in the skill files. This is low-risk from an installation perspective.
!
Credentials
The registry metadata declares no required env vars, but SKILL.md and examples instruct setting DASHSCOPE_API_KEY and the CI examples use that name. The script itself looks for a different key (BAILIAN_CODING_PLAN_API_KEY) inside ~/.qwen/settings.json. That mismatch is confusing and could cause users to export keys under the wrong name. Aside from that, the skill does not request unrelated cloud credentials (no AWS/GCP keys), so the set of secrets it uses is limited to the Qwen/Dashscope API key space — but the missing/ambiguous env var declaration is a proportionality/clarity issue.
Persistence & Privilege
The skill is not forced-always and uses normal autonomous invocation defaults. The scripts read and write under ~/.qwen/ (settings, projects, skills). In particular, the skillCommand implementation can create directories and files under ~/.qwen/skills — i.e., it can add skill files into the user's Qwen skills directory. That behavior is coherent with 'Skills management' features but does modify a shared config area (other skills). Consider this a capability that increases impact if misused.
What to consider before installing
This skill is a wrapper for the official Qwen Code CLI and generally behaves consistently with that purpose, but review these points before installing: - Authentication naming is inconsistent: SKILL.md/examples refer to DASHSCOPE_API_KEY while the script inspects BAILIAN_CODING_PLAN_API_KEY inside ~/.qwen/settings.json. Make sure you understand which credential the environment/CLI actually requires and never paste high-privilege keys unless intended. - The skill (and its example scripts) will read your project files, git diffs, and other local files and pass them to the qwen CLI, which sends data to Alibaba Cloud. Do not run the examples on sensitive, proprietary, or secret-containing code unless you are comfortable sending that data to Qwen services. - The tool can create files under ~/.qwen/skills and read/write ~/.qwen/settings.json and project chat files. If you prefer stricter isolation, avoid using the skill's skill/agent-management commands or run in a disposable environment. - If you want to limit risk: run the wrapper only manually (do not allow unattended/autonomous invocations), inspect the script source (scripts/qwen-code.js), and test in a non-sensitive repository first. Ask the author to clarify the API key names and document precisely which env/config keys are used.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.2.0
Download zip
latestvk978r98wknmvka5raps4rpp65581zqxq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦌 Clawdis
Any binqwen

SKILL.md

Qwen Code Skill (background-first)

Use bash background mode for non-interactive coding work with Qwen Code CLI.

The Pattern: workdir + background

# Start Qwen Code in target directory
bash workdir:~/project background:true yieldMs:30000 command:"qwen -p 'Build a Flask API'"
# Returns sessionId for tracking

# Monitor progress
process action:log sessionId:XXX

# Check if done
process action:poll sessionId:XXX

# Send input (if Qwen asks a question)
process action:write sessionId:XXX data:"y"

# Kill if needed
process action:kill sessionId:XXX

Why workdir matters: Agent wakes up in a focused directory, doesn't wander off reading unrelated files.

Quick Start

Prerequisites

# Install Qwen Code CLI
npm install -g @qwen-code/qwen-code@latest

# Verify installation
qwen --version

# Authenticate (Option 1: OAuth)
qwen auth login

# Or Option 2: API Key
export DASHSCOPE_API_KEY="sk-xxx"

Basic Usage

# Check status
scripts/qwen-code.js status

# Run a task
scripts/qwen-code.js run "Create a Flask API"

# Code review
scripts/qwen-code.js review src/app.ts

# Headless mode (JSON output)
scripts/qwen-code.js headless "Analyze code" -o json

Commands

CommandDescriptionExample
statusCheck Qwen Code status and authenticationscripts/qwen-code.js status
run <task>Execute programming taskscripts/qwen-code.js run "Create REST API"
review <file>Code review and analysisscripts/qwen-code.js review src/main.py
headless <task>Headless mode (JSON output)scripts/qwen-code.js headless "Analyze" -o json
helpShow help informationscripts/qwen-code.js help

OpenClaw Integration

Background Execution

# Basic task
bash workdir:~/project background:true yieldMs:30000 \
  command:"qwen -p 'Create Python Flask API'"

# Specify model
bash workdir:~/project background:true yieldMs:30000 \
  command:"qwen -p 'Analyze code structure' -m qwen3-coder-plus"

# YOLO mode (auto-approve)
bash workdir:~/project background:true yieldMs:30000 \
  command:"qwen -p 'Refactor this function' -y"

Process Management

# View logs
process action:log sessionId:XXX

# Check completion
process action:poll sessionId:XXX

# Send input (if Qwen asks)
process action:write sessionId:XXX data:"y"

Headless Mode (Automation/CI/CD)

# JSON output
qwen -p "Analyze code structure" --output-format json

# Pipeline operations
git diff | qwen -p "Generate commit message"

# Batch processing
find src -name "*.ts" | xargs -I {} qwen -p "Review {}"

Models

Qwen Code supports Alibaba Cloud models:

  • qwen3.5-plus - General purpose (default)
  • qwen3-coder-plus - Coding specialized
  • qwen3-coder-next - Latest coding model
  • qwen3-max-2026-01-23 - Most capable

Specify model:

bash workdir:~/project background:true yieldMs:30000 \
  command:"qwen -p 'Refactor this' -m qwen3-coder-plus"

Authentication

OAuth (Recommended)

qwen auth login

Opens browser for OAuth flow. Token auto-refreshes.

API Key

export DASHSCOPE_API_KEY="sk-xxx"

Get key from: https://dashscope.console.aliyun.com/

⚠️ Rules

  1. Respect tool choice — if user asks for Qwen, use Qwen. NEVER offer to build it yourself!
  2. Be patient — don't kill sessions because they're "slow"
  3. Monitor with process:log — check progress without interfering
  4. YOLO mode for building--yolo auto-approves changes (use in workspace only)
  5. Review mode for safety — production code should use review mode
  6. Parallel is OK — run many Qwen processes at once for batch work
  7. NEVER start Qwen in ~/clawd/ — it'll read your soul docs! Use target project dir or /tmp
  8. Workspace safety — YOLO mode is safe in agents.defaults.workspace, not elsewhere

For

  • Developers using Qwen Code for programming tasks
  • Teams needing code review and analysis
  • Automation scripts and CI/CD integration
  • OpenClaw Sub-Agent and Skills management
  • Batch code analysis and refactoring

Not For

  • Environments without Qwen Code CLI installed
  • GUI-based interaction requirements
  • Non-Alibaba Cloud LLM users
  • Offline environments (requires network connection)

Security & Boundaries

ComponentBehaviorExecutes Shell Commands?
scripts/qwen-code.jsWraps Qwen Code CLI commandsYes (via qwen command)
references/qwen-cli-commands.mdCommand reference documentationNo (plain text)
assets/examples/Example code filesNo (static files)

⚠️ Security Notes

  • This Skill does not execute code directly, only calls Qwen Code CLI
  • All code generation and modifications require user confirmation
  • Use review mode in production environments
  • Disable YOLO mode for sensitive projects

Examples

See assets/examples/ for complete examples:

ExampleDescription
basic-task.example.shBasic task execution
code-review.example.shCode review workflow
ci-cd.example.ymlGitHub Actions integration
headless-mode.example.jsNode.js automation example

References

Troubleshooting

"qwen: command not found"

npm install -g @qwen-code/qwen-code@latest

"Authentication required"

qwen auth login
# Or set API key
export DASHSCOPE_API_KEY="sk-xxx"

Session stuck/waiting for input

# Check what Qwen is asking
process action:log sessionId:XXX

# Send approval
process action:write sessionId:XXX data:"y"

Kill stuck session

process action:kill sessionId:XXX

Qwen Code Skill 🦌 - Your AI coding partner powered by Alibaba Cloud

Files

12 total
Select a file
Select a file to preview.

Comments

Loading comments…