图可丽视觉api
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Images chosen for processing leave the local environment, and successful API calls can consume Tukeli account credits.
The script uploads the selected local image file to the Tukeli API with request parameters and headers. This is expected for the skill’s purpose, but it is still an external, account-billed operation.
files = {"file": (image_path.name, f, "image/jpeg")}
resp = requests.post(
url,
params=url_params,
files=files,
headers=headers,Use this skill only with images you are comfortable sending to Tukeli, and avoid bulk or repeated calls unless you intend to spend the credits.
Anyone or any agent using the configured key can make API calls against the associated Tukeli account.
The skill uses a local Tukeli API key from an environment variable or .env file. This is purpose-aligned and disclosed, but it grants the skill authority to use the user’s Tukeli account.
key = os.environ.get("TUKELI_API_KEY")
if key:
return key
env_data = _parse_env_file(ROOT_DIR / ".env")
return env_data.get("TUKELI_API_KEY")Keep the API key private, store it only in the intended environment or .env file, and rotate it if it may have been exposed.
Different installations could receive different versions of the dependency.
The skill depends on the external Python package requests with a lower-bound version rather than an exact pinned version. This is common and purpose-aligned, but installed package versions may vary over time.
requests>=2.28.0
Install in a virtual environment and consider pinning dependency versions if you need reproducible or tightly controlled deployments.
Local output folders may reveal which images or URLs were processed.
The script writes metadata alongside output files that can include the local source path, image URL, and processing parameters. This is disclosed as output metadata, but it persists potentially sensitive file-location or URL information.
"image_path": str(image_path) if image_path else None,
"image_url": image_url,
"params": url_params,Review or delete generated .meta.json files if image paths, URLs, or processing details are sensitive.