Pill Counter Skill

ReviewAudited by ClawScan on May 7, 2026.

Overview

This pill-counting skill is coherent and purpose-aligned, but users should notice that optional AI mode reads a local MiMo API key and uploads the image to Xiaomi MiMo for analysis.

This skill appears safe to install for local pill counting. Prefer the default OpenCV mode for privacy. Before using --ai, confirm you want the image sent to Xiaomi MiMo and that the configured API key is intended for this use.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

If AI mode is used, the skill can use the configured MiMo/Xiaomi API key for requests, which may consume quota or create charges.

Why it was flagged

AI mode reads an existing local OpenClaw provider API key. This is expected for the advertised MiMo AI mode, but it is credential access and may incur API usage.

Skill content

config_path = os.path.expanduser('~/.openclaw/openclaw.json') ... api_key = config.get('models', {}).get('providers', {}).get('xiaomi-coding', {}).get('apiKey')

Recommendation

Use AI mode only when you intend to use that provider credential, and verify the API key in ~/.openclaw/openclaw.json is the correct one for this purpose.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

Images analyzed with --ai leave the local machine and are sent to the external MiMo service.

Why it was flagged

AI mode compresses the input image, base64-encodes it, and sends it to the MiMo API endpoint. This is disclosed and purpose-aligned, but image contents may be sensitive.

Skill content

"image_url": {"url": f"data:image/jpeg;base64,{img_b64}"} ... urllib.request.Request("https://api.xiaomimimo.com/v1/chat/completions"

Recommendation

Use the offline OpenCV mode for sensitive images, or only use --ai when you are comfortable sending the image to the provider.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing dependencies may pull current package versions from PyPI, which can vary over time.

Why it was flagged

The setup instructions ask the user to install unpinned Python packages from the package ecosystem. This is normal for an OpenCV-based skill, but dependency provenance and versions are not locked.

Skill content

pip install opencv-python-headless numpy Pillow

Recommendation

Install dependencies in a virtual environment and consider pinning trusted versions if using this in a controlled or production workflow.