aliyun-happyhorse-t2v
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill performs legitimate operations by wrapping the Alibaba Cloud DashScope API. All network requests are directed to official Alibaba Cloud domains (aliyuncs.com) which are recognized as well-known and trusted services.
- [EXTERNAL_DOWNLOADS]: The skill requires the 'requests' Python package for communicating with the DashScope API. This is a standard and well-known library for HTTP requests.
- [CREDENTIALS_UNSAFE]: The skill documentation and provided script follow best practices for secret management by instructing users to use environment variables (DASHSCOPE_API_KEY) or standard local configuration files (~/.alibabacloud/credentials) rather than hardcoding sensitive information.
- [PROMPT_INJECTION]: The skill processes user-provided prompts as part of the video generation workflow. While this constitutes an indirect injection surface, the risk is mitigated by the skill's specific purpose and the use of structured data formats for transmission.
- Ingestion points: User-provided prompt parameter in t2v_happyhorse.py and the input.prompt field defined in SKILL.md.
- Boundary markers: Prompts are encapsulated within JSON objects when sent to the API, preventing them from being interpreted as instructions by the local execution environment.
- Capability inventory: The script performs network requests (GET/POST) to retrieve task status and post generation jobs, and performs local file writes to save metadata in the output directory.
- Sanitization: Employs standard JSON serialization which provides basic escaping of characters within the prompt payload.
Audit Metadata