ClawHub

Qwen Api

Security checks across malware telemetry and agentic risk

Overview

This is mostly a Qwen API guide, but it recommends disabling provider safety checks, so users should review it carefully before installing.

Install only if you are comfortable with a skill that documents and recommends disabling provider content inspection. Keep safety controls enabled unless you have explicit authorization and a compliant reason, protect API keys, use approved endpoints for your organization or jurisdiction, and avoid uploading sensitive documents or private media unless you intend to send that data to DashScope.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly documents how to disable DashScope input and output inspection and labels the international endpoint as having 'no content moderation', which meaningfully lowers safety controls. In a general API assistant, presenting moderation bypass as normal usage enables abusive or policy-evading integrations and increases the likelihood the skill is used to generate or process harmful content without safeguards.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The content promotes bypassing model moderation without any justification, approval workflow, or user consent language. Because this is an API-development helper, such guidance is more dangerous: it can directly shape downstream developer behavior and normalize deployment patterns that evade provider safeguards.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The long-document example uploads a local PDF to the provider and then references it for analysis, but the documentation gives no warning about sensitive data, retention, residency, or consent requirements. This omission can lead users to upload confidential or regulated documents under the assumption that the example is safe for general use.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The multimodal examples send external image and video URLs to the API without warning that the URLs and referenced media may expose personal, proprietary, or access-controlled data to the provider. In an agent skill meant to help developers integrate APIs, omission of these cautions can cause inadvertent disclosure or unsafe use of third-party resources.

Ssd 1

High
Confidence
99% confidence
Finding
The documentation not only includes bypass instructions but presents 'international version + disable moderation = no content restrictions' under best practices, effectively recommending safety-control evasion. That elevates risk beyond a neutral mention because it encourages operational adoption of reduced-guardrail configurations in production workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal