iFLYTEK Face Compare

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears purpose-aligned, but it sends face images to iFlytek and uses your iFlytek API credentials, so only use it with images and keys you intend to share.

This skill is not showing concrete malicious behavior in the provided artifacts. Before installing, make sure you are comfortable sending the selected face images to iFlytek, have permission to process those images, and can protect the required API credentials.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI07: Insecure Inter-Agent Communication

Medium

What this means

Face images selected for comparison leave the local environment and are processed by iFlytek.

Why it was flagged

The code base64-encodes both provided face images and posts them to the iFlytek API endpoint. This is expected for the skill, but it transfers biometric image data to an external provider.

Skill content

"image": image1_base64 ... "image": image2_base64 ... response = requests.post(signed_url, json=request_body, timeout=self.timeout)

Recommendation

Use only images you are authorized to share, consider consent and privacy requirements, and review iFlytek's data handling terms before using this for identity verification.

#ASI03: Identity and Privilege Abuse

Low

What this means

Anyone with access to these credentials may be able to consume the user's iFlytek API quota or access the configured face-recognition service.

Why it was flagged

The skill requires iFlytek API credentials. This is normal for the integration, but those credentials authorize use of the user's iFlytek account.

Skill content

export XF_FACE_APP_ID=your_app_id ... export XF_FACE_API_KEY=your_api_key ... export XF_FACE_API_SECRET=your_api_secret

Recommendation

Store the credentials securely, avoid sharing logs or configuration files containing them, and use the least-privileged or dedicated API key available.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

Users have less external provenance information to rely on when deciding whether to trust the skill.

Why it was flagged

The artifact metadata does not identify a source repository or package provenance. The included behavior is coherent and there is no install script, but provenance is still worth noting.

Skill content

Source: unknown

Recommendation

Review the included files before installation and prefer a trusted source or publisher when available.