The Agent Skills Directory

[SAFE]: The skill follows secure credential management practices by reading sensitive information like DASHSCOPE_API_KEY, ALIBABA_CLOUD_ACCESS_KEY_ID, and ALIBABA_CLOUD_ACCESS_KEY_SECRET exclusively from environment variables. No secrets are hardcoded in the source code.
[COMMAND_EXECUTION]: Several scripts (animate_anyone.py, live_portrait.py, image_to_video.py) use the subprocess module to invoke system utilities ffmpeg and ffprobe for media processing (e.g., format conversion, audio extraction). These calls are secure as they use list-based arguments and avoid shell=True, preventing shell injection vulnerabilities.
[EXTERNAL_DOWNLOADS]: The skill downloads AI-generated media assets (MP4, WAV, PNG) from official Alibaba Cloud DashScope and OSS endpoints. These operations are performed using the requests library and urllib.request.urlopen, with basic URL scheme validation (http/https) provided by the input_validation.py utility.
[SAFE]: File system operations are protected against path traversal attacks. The resolve_under_cwd helper in input_validation.py ensures that any user-supplied output paths are strictly confined to the current working directory.
[SAFE]: All network communication is directed to legitimate Alibaba Cloud service endpoints (e.g., dashscope.aliyuncs.com, lingmou.cn-beijing.aliyuncs.com), which is consistent with the skill's stated purpose.

alibabacloud-avatar-video