ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aliyun Qwen Generation

v1.0.0

Use when generating or reasoning over text with Alibaba Cloud Model Studio Qwen flagship text models (`qwen3-max`, `qwen3.5-plus`, `qwen3.5-flash`, snapshots...

0· 2·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name, description, SKILL.md, example curl, and helper script consistently target Alibaba Cloud Model Studio (dashscope/OpenAI-compatible) Qwen text generation — the requested actions match the stated purpose. However, the registry metadata lists no required environment variables or primary credential even though the instructions explicitly require a DASHSCOPE_API_KEY or entries in ~/.alibabacloud/credentials. That metadata omission is an inconsistency (transparency issue) but not by itself evidence of malicious behavior.
Instruction Scope
The SKILL.md contains concrete, bounded instructions: prepare and save normalized request payloads, run a validation py_compile step, and call the dashscope OpenAI-compatible endpoint. The included script only constructs a JSON request and writes it to the output directory. It does reference storing credentials in ~/.alibabacloud/credentials and an environment variable (DASHSCOPE_API_KEY) and mentions overriding output base dir via OUTPUT_DIR; those credential/config paths and env-vars are not declared in the skill metadata, which expands the skill's data access expectations beyond what the registry advertises.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically written to disk by the platform. The README suggests creating a virtualenv and pip installing a package named 'dashscope' — that is normal for a Python helper workflow, but you should verify the package origin on PyPI or the vendor before installing. Overall install risk is low because nothing in the skill forces a download during installation.
!
Credentials
The skill requires access to a sensitive credential (DASHSCOPE_API_KEY) and suggests a credential file (~/.alibabacloud/credentials), but the published registry metadata declares no required env vars or primary credential. This is a proportionality/transparency problem: the skill legitimately needs an API key to call Model Studio, but the metadata should declare that requirement so users know what secrets they must provide. Also the skill uses OUTPUT_DIR as an override (not declared). Missing declarations increase the risk of accidental credential exposure and make it harder to audit before installation.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and does not request elevated or persistent platform privileges. The helper script only writes to an output directory under the skill's namespace. There is no evidence it modifies other skills or global agent config.
What to consider before installing
This skill appears to do what it says (prepare and call Alibaba Cloud Model Studio Qwen models), but the package metadata failed to list the sensitive environment variables and credential file it expects. Before installing or using it: 1) Confirm the skill's origin and trustworthiness (source is unknown). 2) Don't expose your DASHSCOPE_API_KEY in chat or public repos; prefer putting it into ~/.alibabacloud/credentials or a secrets manager. 3) Verify the 'dashscope' Python package on PyPI or the vendor site before pip installing. 4) Run the validation steps in an isolated environment (VM/container) to observe behavior and confirm it only writes under output/aliyun-qwen-generation/. 5) If you plan to use this in production, ask the author to update the registry metadata to declare DASHSCOPE_API_KEY (primary credential) and any config paths (e.g., ~/.alibabacloud/credentials or OUTPUT_DIR) so reviewers can audit required secrets up front.

Like a lobster shell, security has layers — review code before you run it.

latestvk97azfx3k7dppnsh7mb8rqjddh841sp6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Category: provider

Model Studio Qwen Text Generation

Validation

mkdir -p output/aliyun-qwen-generation
python -m py_compile skills/ai/text/aliyun-qwen-generation/scripts/prepare_generation_request.py && echo "py_compile_ok" > output/aliyun-qwen-generation/validate.txt

Pass criteria: command exits 0 and output/aliyun-qwen-generation/validate.txt is generated.

Output And Evidence

  • Save prompt templates, normalized request payloads, and response summaries under output/aliyun-qwen-generation/.
  • Keep one reproducible request example with model name, region, and key parameters.

Use this skill for general text generation, reasoning, tool-calling, and long-context chat on Alibaba Cloud Model Studio.

Critical model names

Prefer the current flagship families:

  • qwen3-max
  • qwen3-max-2026-01-23
  • qwen3.5-plus
  • qwen3.5-plus-2026-02-15
  • qwen3.5-flash
  • qwen3.5-flash-2026-02-23

Common related variants listed in the official model catalog:

  • qwen3.5-397b-a17b
  • qwen3.5-122b-a10b
  • qwen3.5-35b-a3b
  • qwen3.5-27b

Prerequisites

  • Install SDK in a virtual environment:
python3 -m venv .venv
. .venv/bin/activate
python -m pip install dashscope
  • Set DASHSCOPE_API_KEY in your environment, or add dashscope_api_key to ~/.alibabacloud/credentials.

Normalized interface (text.generate)

Request

  • messages (array<object>, required): standard chat turns.
  • model (string, optional): default qwen3.5-plus.
  • temperature (number, optional)
  • top_p (number, optional)
  • max_tokens (int, optional)
  • enable_thinking (bool, optional)
  • tools (array<object>, optional)
  • response_format (object, optional)
  • stream (bool, optional)

Response

  • text (string): assistant output.
  • finish_reason (string, optional)
  • usage (object, optional)
  • raw (object, optional)

Quick start (OpenAI-compatible endpoint)

curl -sS https://dashscope.aliyuncs.com/compatible-mode/v1/chat/completions \
  -H "Authorization: Bearer $DASHSCOPE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "qwen3.5-plus",
    "messages": [
      {"role": "system", "content": "You are a concise assistant."},
      {"role": "user", "content": "Summarize why object storage helps media pipelines."}
    ],
    "stream": false
  }'

Local helper script

python skills/ai/text/aliyun-qwen-generation/scripts/prepare_generation_request.py \
  --prompt "Draft a concise architecture summary for a media ingestion pipeline." \
  --model qwen3.5-plus

Operational guidance

  • Use snapshot IDs when reproducibility matters.
  • Prefer qwen3.5-flash for lower-latency simple tasks and qwen3-max for harder multi-step tasks.
  • Keep tool schemas minimal and explicit when enabling tool calls.
  • For multimodal input, route to dedicated VL or Omni skills unless the task is primarily text-centric.

Output location

  • Default output: output/aliyun-qwen-generation/requests/
  • Override base dir with OUTPUT_DIR.

References

  • references/sources.md

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…