← 返回 Skills 市场

Qwen Code

Name: Qwen Code
Author: userb1ank

作者 UserB1ank · GitHub ↗ · v1.2.0

cross-platform ⚠ suspicious

618

总下载

当前安装

版本数

在 OpenClaw 中安装

/install qwen-code-skill

功能描述

Run Alibaba Cloud Qwen Code CLI via background process for task execution, code review, and automation.

安全使用建议

This skill is a wrapper for the official Qwen Code CLI and generally behaves consistently with that purpose, but review these points before installing: - Authentication naming is inconsistent: SKILL.md/examples refer to DASHSCOPE_API_KEY while the script inspects BAILIAN_CODING_PLAN_API_KEY inside ~/.qwen/settings.json. Make sure you understand which credential the environment/CLI actually requires and never paste high-privilege keys unless intended. - The skill (and its example scripts) will read your project files, git diffs, and other local files and pass them to the qwen CLI, which sends data to Alibaba Cloud. Do not run the examples on sensitive, proprietary, or secret-containing code unless you are comfortable sending that data to Qwen services. - The tool can create files under ~/.qwen/skills and read/write ~/.qwen/settings.json and project chat files. If you prefer stricter isolation, avoid using the skill's skill/agent-management commands or run in a disposable environment. - If you want to limit risk: run the wrapper only manually (do not allow unattended/autonomous invocations), inspect the script source (scripts/qwen-code.js), and test in a non-sensitive repository first. Ask the author to clarify the API key names and document precisely which env/config keys are used.

功能分析

Type: OpenClaw Skill Name: qwen-code-skill Version: 1.2.0 The skill is a wrapper for the powerful 'qwen' AI coding CLI, which inherently carries high-risk capabilities such as generating, executing, and modifying code, and potentially reading sensitive files (as explicitly warned in SKILL.md regarding `~/clawd/`). The script `scripts/qwen-code.js` uses `child_process.spawn` to execute `qwen` commands with user-controlled prompts, which could facilitate prompt injection against the `qwen` CLI itself, leading to arbitrary code execution or unauthorized data access. While the skill's documentation attempts to mitigate these risks by warning about 'YOLO' (auto-approve) mode and sensitive directories, the underlying capabilities are significant vulnerabilities without clear malicious intent from the skill's author.

能力评估

✓ Purpose & Capability

Name/description match the code and SKILL.md: this is a wrapper around the Qwen Code CLI and the scripts call the qwen binary to run tasks, review code, and run headless jobs. Requiring the qwen binary (anyBins) is appropriate.

⚠ Instruction Scope

SKILL.md and the shipped scripts instruct the agent to run the qwen CLI on arbitrary prompts and to read local files (e.g., file contents are embedded into prompts for review). Headless examples and scripts read project files and git diffs and then call qwen, which transmits content to Alibaba Cloud services — this is expected for a code-review tool but is a sensitive action (possible data exfiltration of source code). The README and examples also instruct use of an API key env var (DASHSCOPE_API_KEY) while the script checks for BAILIAN_CODING_PLAN_API_KEY inside ~/.qwen/settings.json — inconsistent naming and unclear provenance of required credentials.

✓ Install Mechanism

There is no automated installer in the skill bundle (instruction-only install spec). Examples tell users to npm install the official qwen CLI. No downloads from untrusted URLs or archive extraction are present in the skill files. This is low-risk from an installation perspective.

⚠ Credentials

The registry metadata declares no required env vars, but SKILL.md and examples instruct setting DASHSCOPE_API_KEY and the CI examples use that name. The script itself looks for a different key (BAILIAN_CODING_PLAN_API_KEY) inside ~/.qwen/settings.json. That mismatch is confusing and could cause users to export keys under the wrong name. Aside from that, the skill does not request unrelated cloud credentials (no AWS/GCP keys), so the set of secrets it uses is limited to the Qwen/Dashscope API key space — but the missing/ambiguous env var declaration is a proportionality/clarity issue.

ℹ Persistence & Privilege

The skill is not forced-always and uses normal autonomous invocation defaults. The scripts read and write under ~/.qwen/ (settings, projects, skills). In particular, the skillCommand implementation can create directories and files under ~/.qwen/skills — i.e., it can add skill files into the user's Qwen skills directory. That behavior is coherent with 'Skills management' features but does modify a shared config area (other skills). Consider this a capability that increases impact if misused.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install qwen-code-skill
安装完成后，直接呼叫该 Skill 的名称或使用 /qwen-code-skill 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.2.0

**Qwen Code Skill 1.2.0** - Revised documentation: Simplified and refocused SKILL.md with background process usage, modern workflow patterns, and clearer security guidance. - Added English-only docs; removed README.zh-CN.md for streamlined maintenance. - Updated command and integration examples for latest Qwen Code CLI. - Improved troubleshooting section and clarified prerequisites. - Enhanced compatibility notes and detailed use cases for automation and CI/CD.

v1.0.1

qwen-code-skill v1.0.1 changelog: - 新增阿里云 Qwen Code CLI 封装，支持状态检查、任务执行、代码审查和自动化 - 提供 `scripts/qwen-code.js` 脚本，简化与 Qwen Code CLI 的集成与调用 - 支持 Headless 模式，适用于自动化和 CI/CD 场景 - 明确用法说明、前置条件与安全边界 - 提供快速上手指引和多种命令示例

v0.1.2

No code or documentation changes detected in this release. - Version updated to 0.1.2. - No file changes were made.

v0.1.1

Qwen Code Skill v0.1.1 - 全新重写文档，重点聚焦 CLI 封装与自动化集成用法 - 增加 scripts/qwen-code.js 主工具脚本，实现状态检查、任务/审查/headless 调用 - 丰富官方用法及自动化/CI 示例，增加多组 assets/examples 示例文件 - 新增 references/qwen-cli-commands.md 命令参考文档 - 移除旧版 qwen-code.js；更规范脚本文件结构与命令参数 - 支持 OpenClaw Skills 规范与前后置条件说明

v0.1.0

- Initial release of the Qwen Code Skill integrated with the official Qwen Code CLI. - Provides both background (non-interactive) and interactive (tmux) programming assistant modes. - Includes helper script qwen-code.js for easy CLI access to status checks, task execution, code review, and headless automation. - Supports multiple authentication methods (OAuth or API Key), model selection, sub-agents, skill extensions, and MCP integration. - Offers detailed usage examples for automation, code analysis, code review, and CI/CD integration. - Includes guidance on session data management, configuration, and tool usage rules.

元数据

Slug qwen-code-skill

版本 1.2.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 5

常见问题

Qwen Code 是什么？

Run Alibaba Cloud Qwen Code CLI via background process for task execution, code review, and automation. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 618 次。

如何安装 Qwen Code？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install qwen-code-skill」即可一键安装，无需额外配置。

Qwen Code 是免费的吗？

是的，Qwen Code 完全免费（开源免费），可自由下载、安装和使用。

Qwen Code 支持哪些平台？

Qwen Code 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Qwen Code？

由 UserB1ank（@userb1ank）开发并维护，当前版本 v1.2.0。