Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ekyc Suite
v1.0.2KYC and eKYC identity verification suite for AI agents — 8 financial-grade biometric and document verification capabilities in one skill. Face comparison and...
⭐ 0· 76·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md and included scripts all match an eKYC / identity verification purpose. The required environment variables (KYC_APPID/KYC_SECRET for capabilities 1–7 and LABEL_APPID/LABEL_SECRET for capability 8) align with the described upstream Tencent Cloud endpoints. No unrelated credentials or odd binaries are requested.
Instruction Scope
SKILL.md instructs the agent to accept images/videos, run the included Python scripts, and send base64-encoded media to specific Tencent Cloud endpoints — that is consistent. However SKILL.md also repeatedly states 'NEVER accept or transmit names, ID numbers, phone numbers, or any personal text data' while simultaneously documenting OCR capabilities that extract and return textual identity fields (name, idcard, bankcardNo, etc.). The implementation (scripts/ekyc_api.py) parses and returns those fields and does not automatically redact them. This is a functional/privacy inconsistency: the skill can and will produce personal textual data, yet the prose forbids transmitting such text; the prohibition is not enforced in code or invocation rules. Otherwise, input handling includes SSRF protections and file size checks which are appropriate.
Install Mechanism
No install spec is provided (instruction-only), but Python scripts and requirements.txt are bundled with the skill. That means code will be executed from the skill package rather than fetched from an arbitrary external URL — lower install risk than remote downloads. The scripts depend on the requests library; there is no automated install described, so runtime environment must already satisfy dependencies. No unusual or obfuscated install mechanisms detected.
Credentials
The skill asks only for four env vars which map directly to two upstream credential sets (KYC_* and LABEL_*). The split (Key A for caps 1–7 and Key B for cap 8) is explained in code and docs and the declared primaryEnv (KYC_APPID) is sensible. These credentials are sensitive but proportionate to the functionality.
Persistence & Privilege
The skill does not request always:true or any elevated platform privilege. It does not declare config paths or attempt to change other skills' settings. Autonomous invocation is allowed (platform default) and is not by itself a disqualifying factor.
What to consider before installing
This skill appears to honestly implement an eKYC client for Tencent Cloud and requests exactly the credentials you'd expect, but there is an important privacy/instruction mismatch you should resolve before installing: the documentation forbids accepting or transmitting personal textual data (names, ID numbers, phone numbers) while the OCR capabilities will extract and return those exact fields and the code does not automatically redact them. If you plan to process identity documents, confirm whether the agent or your deployment will redact PII before returning it to users (or modify the scripts to mask sensitive strings). Also note: image/video files will be transmitted to the listed Tencent Cloud endpoints (kyc1.qcloud.com, miniprogram-kyc.tencentcloudapi.com, kyc2.qcloud.com) — only install if you trust that upstream provider and you are comfortable providing test/production keys. Use test credentials as suggested when evaluating; avoid supplying production API keys until you have validated behavior (especially redaction). Finally, ensure the runtime Python environment has the required dependency (requests) and that the platform protects environment variables (these keys are sensitive).Like a lobster shell, security has layers — review code before you run it.
latestvk97fsajsz95gqq9fzdadr5r8fh8436p2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔐 Clawdis
EnvKYC_APPID, KYC_SECRET, LABEL_APPID, LABEL_SECRET
Primary envKYC_APPID