Skills
skills/cinience/alicloud-skills/alicloud-ai-video-wan-video/Gen Agent Trust Hub

alicloud-ai-video-wan-video

Pass

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: SAFECREDENTIALS_UNSAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The scripts scripts/generate_video.py and scripts/generate_dancing_video.py contain logic to read sensitive authentication tokens from the ~/.alibabacloud/credentials file and the DASHSCOPE_API_KEY environment variable.
  • [DATA_EXFILTRATION]: The reference_image parameter in the generate_video script supports local file paths. Because these paths are not sanitized or restricted to a specific directory, the DashScope SDK's auto-upload feature could be used to exfiltrate sensitive local files (e.g., configuration files or SSH keys) to the cloud provider's API.
  • [EXTERNAL_DOWNLOADS]: The skill downloads generated media from external URLs using urllib.request.urlopen and instructs the user to install the third-party dashscope library via pip.
  • [COMMAND_EXECUTION]: The SKILL.md file includes shell commands for validating the skill's environment and compiling Python scripts, which execute in the local environment.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 11, 2026, 03:27 AM