← Back to Skills Marketplace

Qwen Code

Name: Qwen Code
Author: userb1ank

by UserB1ank · GitHub ↗ · v1.2.0

cross-platform ⚠ suspicious

618

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install qwen-code-skill

Description

Run Alibaba Cloud Qwen Code CLI via background process for task execution, code review, and automation.

Usage Guidance

This skill is a wrapper for the official Qwen Code CLI and generally behaves consistently with that purpose, but review these points before installing: - Authentication naming is inconsistent: SKILL.md/examples refer to DASHSCOPE_API_KEY while the script inspects BAILIAN_CODING_PLAN_API_KEY inside ~/.qwen/settings.json. Make sure you understand which credential the environment/CLI actually requires and never paste high-privilege keys unless intended. - The skill (and its example scripts) will read your project files, git diffs, and other local files and pass them to the qwen CLI, which sends data to Alibaba Cloud. Do not run the examples on sensitive, proprietary, or secret-containing code unless you are comfortable sending that data to Qwen services. - The tool can create files under ~/.qwen/skills and read/write ~/.qwen/settings.json and project chat files. If you prefer stricter isolation, avoid using the skill's skill/agent-management commands or run in a disposable environment. - If you want to limit risk: run the wrapper only manually (do not allow unattended/autonomous invocations), inspect the script source (scripts/qwen-code.js), and test in a non-sensitive repository first. Ask the author to clarify the API key names and document precisely which env/config keys are used.

Capability Analysis

Type: OpenClaw Skill Name: qwen-code-skill Version: 1.2.0 The skill is a wrapper for the powerful 'qwen' AI coding CLI, which inherently carries high-risk capabilities such as generating, executing, and modifying code, and potentially reading sensitive files (as explicitly warned in SKILL.md regarding `~/clawd/`). The script `scripts/qwen-code.js` uses `child_process.spawn` to execute `qwen` commands with user-controlled prompts, which could facilitate prompt injection against the `qwen` CLI itself, leading to arbitrary code execution or unauthorized data access. While the skill's documentation attempts to mitigate these risks by warning about 'YOLO' (auto-approve) mode and sensitive directories, the underlying capabilities are significant vulnerabilities without clear malicious intent from the skill's author.

Capability Assessment

✓ Purpose & Capability

Name/description match the code and SKILL.md: this is a wrapper around the Qwen Code CLI and the scripts call the qwen binary to run tasks, review code, and run headless jobs. Requiring the qwen binary (anyBins) is appropriate.

⚠ Instruction Scope

SKILL.md and the shipped scripts instruct the agent to run the qwen CLI on arbitrary prompts and to read local files (e.g., file contents are embedded into prompts for review). Headless examples and scripts read project files and git diffs and then call qwen, which transmits content to Alibaba Cloud services — this is expected for a code-review tool but is a sensitive action (possible data exfiltration of source code). The README and examples also instruct use of an API key env var (DASHSCOPE_API_KEY) while the script checks for BAILIAN_CODING_PLAN_API_KEY inside ~/.qwen/settings.json — inconsistent naming and unclear provenance of required credentials.

✓ Install Mechanism

There is no automated installer in the skill bundle (instruction-only install spec). Examples tell users to npm install the official qwen CLI. No downloads from untrusted URLs or archive extraction are present in the skill files. This is low-risk from an installation perspective.

⚠ Credentials

The registry metadata declares no required env vars, but SKILL.md and examples instruct setting DASHSCOPE_API_KEY and the CI examples use that name. The script itself looks for a different key (BAILIAN_CODING_PLAN_API_KEY) inside ~/.qwen/settings.json. That mismatch is confusing and could cause users to export keys under the wrong name. Aside from that, the skill does not request unrelated cloud credentials (no AWS/GCP keys), so the set of secrets it uses is limited to the Qwen/Dashscope API key space — but the missing/ambiguous env var declaration is a proportionality/clarity issue.

ℹ Persistence & Privilege

The skill is not forced-always and uses normal autonomous invocation defaults. The scripts read and write under ~/.qwen/ (settings, projects, skills). In particular, the skillCommand implementation can create directories and files under ~/.qwen/skills — i.e., it can add skill files into the user's Qwen skills directory. That behavior is coherent with 'Skills management' features but does modify a shared config area (other skills). Consider this a capability that increases impact if misused.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install qwen-code-skill
After installation, invoke the skill by name or use /qwen-code-skill
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.2.0

**Qwen Code Skill 1.2.0** - Revised documentation: Simplified and refocused SKILL.md with background process usage, modern workflow patterns, and clearer security guidance. - Added English-only docs; removed README.zh-CN.md for streamlined maintenance. - Updated command and integration examples for latest Qwen Code CLI. - Improved troubleshooting section and clarified prerequisites. - Enhanced compatibility notes and detailed use cases for automation and CI/CD.

v1.0.1

qwen-code-skill v1.0.1 changelog: - 新增阿里云 Qwen Code CLI 封装，支持状态检查、任务执行、代码审查和自动化 - 提供 `scripts/qwen-code.js` 脚本，简化与 Qwen Code CLI 的集成与调用 - 支持 Headless 模式，适用于自动化和 CI/CD 场景 - 明确用法说明、前置条件与安全边界 - 提供快速上手指引和多种命令示例

v0.1.2

No code or documentation changes detected in this release. - Version updated to 0.1.2. - No file changes were made.

v0.1.1

Qwen Code Skill v0.1.1 - 全新重写文档，重点聚焦 CLI 封装与自动化集成用法 - 增加 scripts/qwen-code.js 主工具脚本，实现状态检查、任务/审查/headless 调用 - 丰富官方用法及自动化/CI 示例，增加多组 assets/examples 示例文件 - 新增 references/qwen-cli-commands.md 命令参考文档 - 移除旧版 qwen-code.js；更规范脚本文件结构与命令参数 - 支持 OpenClaw Skills 规范与前后置条件说明

v0.1.0

- Initial release of the Qwen Code Skill integrated with the official Qwen Code CLI. - Provides both background (non-interactive) and interactive (tmux) programming assistant modes. - Includes helper script qwen-code.js for easy CLI access to status checks, task execution, code review, and headless automation. - Supports multiple authentication methods (OAuth or API Key), model selection, sub-agents, skill extensions, and MCP integration. - Offers detailed usage examples for automation, code analysis, code review, and CI/CD integration. - Includes guidance on session data management, configuration, and tool usage rules.

Metadata

Slug qwen-code-skill

Version 1.2.0

License —

All-time Installs 0

Active Installs 0

Total Versions 5

Frequently Asked Questions

What is Qwen Code?

Run Alibaba Cloud Qwen Code CLI via background process for task execution, code review, and automation. It is an AI Agent Skill for Claude Code / OpenClaw, with 618 downloads so far.

How do I install Qwen Code?

Run "/install qwen-code-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Qwen Code free?

Yes, Qwen Code is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Qwen Code support?

Qwen Code is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Qwen Code?

It is built and maintained by UserB1ank (@userb1ank); the current version is v1.2.0.

More Skills