Skills
skills/cinience/alicloud-skills/alicloud-ai-code-qwen-coder/Gen Agent Trust Hub

alicloud-ai-code-qwen-coder

Pass

Audited by Gen Agent Trust Hub on Mar 28, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the dashscope package from PyPI. This is the official SDK for Alibaba Cloud Model Studio.
  • [COMMAND_EXECUTION]: The skill includes a validation step and a utility script (prepare_code_request.py) to prepare request payloads and save them to the local file system.
  • [PROMPT_INJECTION]: The prepare_code_request.py script functions as a data ingestion point, interpolating user-provided tasks and repository summaries into model requests. This creates a surface for indirect prompt injection if untrusted data is processed.
  • Ingestion points: prepare_code_request.py (via --task and --repository-summary arguments).
  • Boundary markers: Absent; data is interpolated directly into a string template within the JSON message.
  • Capability inventory: The script performs file-write operations to the local output/ directory.
  • Sanitization: Absent; the script performs no validation or escaping of the input strings before inclusion in the payload.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 28, 2026, 01:20 AM