arithmetic-orc
PassAudited by ClawScan on May 10, 2026.
Overview
This skill matches its stated arithmetic OCR purpose, but it sends user-provided images to Tencent Cloud and uses Tencent Cloud credentials.
Before installing, confirm you are comfortable sending selected math images to Tencent Cloud, configure a scoped Tencent Cloud OCR key, and be aware that registry metadata under-declares the credential requirement even though the SKILL.md and code disclose it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Tencent Cloud key used with this skill can authorize OCR API calls and may incur charges or expose account identity to Tencent Cloud.
The skill needs Tencent Cloud API credentials and can take them from environment variables or parameters. This is expected for the stated Tencent OCR integration, but the registry metadata does not declare required credentials.
const secretId = process.env.TENCENTCLOUD_SECRET_ID || params.secretId; const secretKey = process.env.TENCENTCLOUD_SECRET_KEY || params.secretKey;
Use a dedicated, least-privilege Tencent Cloud key for OCR only, avoid pasting long-lived secrets into normal chat, and monitor usage or billing.
Images or image URLs supplied for OCR are sent to Tencent Cloud for processing.
The skill makes a network request to the documented Tencent Cloud OCR endpoint with the image payload or image URL.
url: 'https://ocr.tencentcloudapi.com', ... data: body,
Only use it for images you are comfortable sending to Tencent Cloud, and review Tencent Cloud's retention and privacy terms if the image is sensitive.
A future compatible dependency version could change behavior or inherit upstream vulnerabilities.
The dependency uses a semver range rather than an exact pinned version in the provided artifacts, so the exact axios version may vary when dependencies are installed.
"dependencies": { "axios": "^1.6.0" }Prefer an exact dependency pin or lockfile, and install from a trusted package registry/source.