Bailian Studio
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears aligned with its stated Aliyun Bailian OCR, TTS, and image-generation purpose, but users should notice that it uses cloud credentials and sends selected images/text to DashScope and OSS.
Before installing, confirm you are comfortable giving the skill Aliyun DashScope and OSS credentials, sending selected images/text to Aliyun cloud services, and storing uploaded images in your OSS bucket. Use dedicated, least-privilege credentials and review/delete OSS uploads as needed.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the configured Aliyun/DashScope account and OSS bucket for requested OCR, TTS, and image tasks, which may incur usage or storage charges.
The skill requires DashScope and OSS credentials to call Aliyun services and upload local images, even though registry metadata lists no primary credential or required environment variables.
API Key (priority order): 1. `DASHSCOPE_API_KEY` env ... OSS_ACCESS_KEY, OSS_SECRET_KEY, OSS_BUCKET, OSS_ENDPOINT, OSS_REGION
Use least-privilege Aliyun credentials, a dedicated OSS bucket or prefix, and avoid sharing broad account keys.
Images, prompts, OCR inputs, and TTS text provided to the skill leave the local machine and are processed by external cloud services.
The documentation discloses that local images are uploaded to OSS and then sent to DashScope, while URL images are passed directly to DashScope.
本地参考图:先上传 OSS,再传给 DashScope ... URL 参考图:直接透传给 DashScope
Only submit content appropriate for Aliyun processing, configure OSS access controls carefully, and delete uploaded objects when they are no longer needed.
Using TTS may start a local media player process and play audio on the device.
The TTS script launches ffplay to play generated WAV audio; this is consistent with the documented TTS playback purpose and does not use a shell.
subprocess.run(["ffplay", "-nodisp", "-autoexit", tmp.name], check=True)
Install ffmpeg/ffplay from a trusted source and use the `--output` option if you prefer saving audio instead of playback.
Future installs could resolve to newer package versions than the author tested.
The skill depends on external Python packages with lower-bound version constraints rather than exact pins; this is common for Python skills but gives dependency resolution some flexibility.
dashscope>=1.24.0 oss2>=2.19.1 requests>=2.31.0 pytest>=8.0.0
Install in an isolated Python environment and consider pinning exact dependency versions for reproducible use.