aliyun-wan-video
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFE
Full Analysis
- [DATA_EXPOSURE]: The scripts in the skill access the sensitive file path
~/.alibabacloud/credentialsto retrieve theDASHSCOPE_API_KEY. This is documented as the standard method for authenticating with Alibaba Cloud services and aligns with official vendor recommendations. - [EXTERNAL_DOWNLOADS]: The skill relies on the
dashscopePython package, which is the official SDK for Alibaba Cloud Model Studio. All external documentation links point to the trustedaliyun.comdomain. - [INDIRECT_PROMPT_INJECTION]: The skill processes user-provided prompts which are interpolated into API requests. This constitutes a standard injection surface for AI agent skills.
- Ingestion points: User input is ingested via command-line arguments and JSON request files in
scripts/generate_video.pyandscripts/generate_dancing_video.py. - Boundary markers: The skill does not implement specific boundary markers or delimiters when passing user prompts to the DashScope API.
- Capability inventory: The skill has the capability to perform network requests (via the SDK and
urllib.request) and write files to the local system (downloading generated assets). - Sanitization: There is no explicit sanitization of prompt strings prior to their use in API payloads.
- [COMMAND_EXECUTION]: The
SKILL.mdfile contains a validation block that usespy_compileto verify script syntax. This is a standard build-time check and does not involve the execution of untrusted code or commands.
Audit Metadata