Ekyc Suite
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for KYC/eKYC checks, but users should understand that uploaded biometric and document images are sent to Tencent Cloud APIs and require provider credentials.
Install only if you trust Tencent Cloud and the skill publisher with biometric and identity-document media. Use test or scoped credentials where possible, submit only authorized images/videos, avoid arbitrary URLs or local paths, and keep human review for any high-stakes KYC decisions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Photos, videos, ID cards, bank cards, and other document images may contain highly sensitive personal or biometric information and will be processed by Tencent Cloud.
The skill clearly discloses that user-provided biometric/document media is sent to an external provider for processing.
By installing and using this skill, image and video data you provide will be transmitted to Tencent Cloud's identity verification API for processing.
Use only with images/videos you are authorized to submit, make sure users understand the provider transfer, and avoid using results as the sole basis for high-stakes decisions.
The skill uses your Tencent Cloud KYC/labeling credentials, which can grant API access and may create billable provider usage.
The code reads provider API credentials from environment variables to obtain access tokens and sign requests.
appid = os.environ.get(f"{prefix}_APPID", "")
secret = os.environ.get(f"{prefix}_SECRET", "")Prefer test credentials or narrowly scoped credentials, monitor usage, and do not expose production secrets in chats, logs, or shared environments.
If misused, the agent could fetch and submit content from a URL or arbitrary local path rather than only an intended uploaded media file.
Although the skill documentation emphasizes uploaded image/video files, the helper also accepts URLs and raw base64, then fetches or forwards that content.
Handle file path, URL, or raw base64... if input_str.startswith(("http://", "https://"))... resp = requests.get(input_str, timeout=30)Invoke the skill only on explicit user-provided media files or trusted media URLs, and avoid passing arbitrary local paths or untrusted URLs.
Different installations could use different versions of the requests package.
The dependency is declared with a lower bound rather than a pinned version, which can reduce reproducibility if users install dependencies manually.
requests>=2.28.0
Install in an isolated environment and consider pinning dependency versions before production use.
Version mismatches can make it harder to confirm exactly which release is installed or reviewed.
The registry lists version 1.0.3 while _meta.json shows 1.0.2 and SKILL.md frontmatter shows 1.0.0, indicating version metadata drift.
"version": "1.0.2"
Verify the release source and expected version before using this skill in sensitive identity-verification workflows.