volc-vision
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it claims—send a provided image to Volc ARK for vision analysis—while requiring users to be comfortable sharing those images and an ARK API key.
This looks safe to install if you intend to use Volc ARK for image understanding. Before using it, make sure ARK_API_KEY is a key you are comfortable using, and only analyze images or image URLs that you are comfortable sending to the ARK API.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user supplies the wrong local path, the tool may send that file's contents to the vision API as if it were an image.
The tool reads the path supplied as its image argument. This is expected for local image analysis, but it is broad enough that an incorrect path could cause a non-image file to be read and submitted.
const imagePath = args[0]; ... const filePath = path.isAbsolute(url) ? url : path.join(process.cwd(), url); if (fs.existsSync(filePath)) { resolve(fs.readFileSync(filePath)); return; }Invoke it only on intended image files or trusted image URLs. Consider adding file type, size, and directory checks if stricter containment is needed.
The configured ARK API key may be used for requests and billing under that account.
The skill uses the ARK_API_KEY environment variable as a bearer credential to access the Volc ARK API. This is expected for the stated integration and the artifacts do not show hardcoded, logged, or unrelated credential use.
const API_KEY = process.env.ARK_API_KEY; ... 'Authorization': `Bearer ${API_KEY}`Use a dedicated, least-privilege ARK API key where possible and avoid sharing the environment variable with unrelated tools.
Personal, private, or confidential information visible in an image may be transmitted to Volc ARK for processing.
The prompt and base64-encoded image are sent to the external Volc ARK chat completions endpoint. This is central to the skill's purpose, but it means image contents are shared with the provider.
const API_URL = 'ark.cn-beijing.volces.com'; ... content: [ { type: 'text', text: prompt }, { type: 'image_url', image_url: { url: imageUrl } } ]Use the skill only for images you are comfortable sending to the ARK API, and review the provider's data handling terms for sensitive use cases.