arithmetic-orc
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: math-arithmetic-orc Version: 1.0.0 The skill is a legitimate implementation for performing OCR on mathematical equations using the Tencent Cloud ArithmeticOCR API. The code in `index.js` correctly implements the standard Tencent Cloud Signature V3 authentication process and communicates only with the official `ocr.tencentcloudapi.com` endpoint. No evidence of data exfiltration, malicious execution, or prompt injection was found; the skill functions as described in `SKILL.md` and `plugin.json`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A Tencent Cloud key used with this skill can authorize OCR API calls and may incur charges or expose account identity to Tencent Cloud.
The skill needs Tencent Cloud API credentials and can take them from environment variables or parameters. This is expected for the stated Tencent OCR integration, but the registry metadata does not declare required credentials.
const secretId = process.env.TENCENTCLOUD_SECRET_ID || params.secretId; const secretKey = process.env.TENCENTCLOUD_SECRET_KEY || params.secretKey;
Use a dedicated, least-privilege Tencent Cloud key for OCR only, avoid pasting long-lived secrets into normal chat, and monitor usage or billing.
Images or image URLs supplied for OCR are sent to Tencent Cloud for processing.
The skill makes a network request to the documented Tencent Cloud OCR endpoint with the image payload or image URL.
url: 'https://ocr.tencentcloudapi.com', ... data: body,
Only use it for images you are comfortable sending to Tencent Cloud, and review Tencent Cloud's retention and privacy terms if the image is sensitive.
A future compatible dependency version could change behavior or inherit upstream vulnerabilities.
The dependency uses a semver range rather than an exact pinned version in the provided artifacts, so the exact axios version may vary when dependencies are installed.
"dependencies": { "axios": "^1.6.0" }Prefer an exact dependency pin or lockfile, and install from a trusted package registry/source.