Zuimei Zjz Api
WarnAudited by ClawScan on May 15, 2026.
Overview
This skill mostly matches its photo-processing purpose, but it embeds shared API credentials and sends sensitive face/ID photos to an external service, so it should be reviewed before use.
Before installing, decide whether you are comfortable sending portrait or ID photos to this provider. Do not rely on the bundled shared credential for real use; configure your own API key, monitor quota or charges, and confirm before paid processing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Photo processing may run under a shared provider credential rather than a user-controlled account, and any later use of personal API keys can consume the user's own quota or balance.
The skill embeds a shared API key and secret and says they can be used automatically without configuration. This creates an unclear account/credential boundary and exposes a secret in the distributed artifact.
本 Skill 提供免费测试凭据... ZUIMEI_API_KEY="ak_f808..." ZUIMEI_SECRET_KEY="58ade..."
Remove the bundled secret, rotate the exposed test credential, declare the API key/secret in metadata, and require users to explicitly configure or approve the credential used.
Images used for ID photos, portraits, or enhancement will leave the local environment and be processed by the provider.
The documented workflow uploads user photos to an external provider and returns result URLs. This is purpose-aligned, but ID and face photos are sensitive and the artifacts do not describe retention or access controls for returned CDN URLs.
Base URL: `https://idphoto.huipai.vip` ... `image | file` ... `image_url`
Only process images you are comfortable sending to the provider, review the provider's privacy terms, and avoid highly sensitive documents unless retention and access controls are acceptable.
Using some features may spend free credits or paid balance on the associated API account.
Several documented API operations can consume paid quota or balance. This is disclosed and related to the skill purpose, but users should notice it before allowing the agent to call those endpoints.
计费... 启用美颜(beautify_flag=true):额外收取美颜费用 ... 按抠图单价扣费
Have the agent confirm before using paid options, monitor quota/balance, and prefer a user-owned API key with spending limits.