Chanjing Customised Person
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill appears purpose-aligned for Chanjing digital-human management, but users should note that it uses local Chanjing credentials, uploads selected videos, and can delete cloud resources.
Before installing, make sure you trust the Chanjing API integration, protect the local credentials.json file, verify any video path before upload, use callback URLs only if you control them, and double-check person IDs before deletion.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read this credentials file may be able to use the user's Chanjing API access.
The skill uses local Chanjing credentials and writes refreshed access tokens to disk; this is expected for the API integration and clearly documented, but it is sensitive account access.
credentials:\n model: credentials_json\n defaultPath: "~/.chanjing/credentials.json"\n sensitiveFields:\n - app_id\n - secret_key\n - access_token\n - expire_in\n persistAccessTokenOnDisk: true
Keep ~/.chanjing/credentials.json private, use restrictive file permissions, and do not commit it to source control.
A selected local video is sent to Chanjing or its storage endpoint for processing.
The upload helper reads the user-specified local video file and uploads it to the API-returned signed URL, which matches the skill purpose but can expose sensitive video content if the wrong file is chosen.
with open(path, "rb") as f:\n content = f.read()\n put_req = urllib.request.Request(\n sign_url,\n data=content,\n headers={"Content-Type": mime_type},\n method="PUT",\n )Only provide file paths for videos you intend to upload, and avoid using paths that contain private or unrelated content.
Running the delete command can remove a digital-human resource from the user's Chanjing account.
The skill can delete a Chanjing customised person by ID. This is a stated feature and requires an explicit ID, but it is still a high-impact account mutation.
req = urllib.request.Request(\n f"{API_BASE}/open/v1/delete_customised_person",\n data=json.dumps({"id": args.id}).encode("utf-8"),Confirm the person ID and intended deletion before invoking this command.
If a callback URL is supplied, task results and resource references may be sent to that endpoint.
The optional callback creates a webhook-style data flow from Chanjing to a user-provided endpoint; this is disclosed, optional, and purpose-aligned, but the payload may include sensitive task/resource details.
`create_person.py --callback`: 若传入 URL,远程服务可能向该端点 POST 任务结果,载荷可能含状态与资源引用等敏感信息
Use --callback only with endpoints you control and trust.
On first use without credentials, an additional local helper script may run to assist login setup.
If credentials are missing, the auth helper may execute a fixed sibling Chanjing credentials-guard script to open a login page. This is related to setup and documented as opening a browser, but it relies on code outside this skill package if present.
script = skills_dir / "chanjing-credentials-guard" / "scripts" / "open_login_page.py"\n if script.exists():\n subprocess.run([sys.executable, str(script)], check=False, timeout=5)
Install the companion credentials-guard skill only from a trusted source, or ensure credentials are configured before using this skill.