Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
smart ocr
v1.0.1识别车辆证件(行驶证正页/副页)和收据/发票图片,返回结构化 JSON 数据。 支持图片 URL 和本地文件两种方式,需要 API Key。
⭐ 0· 108·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description and the included scripts align with OCR of vehicle documents and receipts. However, registry metadata lists no required environment variables or primary credential while the SKILL.md and both Python scripts require SMARTOCR_API_KEY (and optionally SMARTOCR_API_URL). This mismatch between declared requirements and actual runtime needs is incoherent and should be fixed or explained by the author.
Instruction Scope
The SKILL.md and scripts instruct the agent to read OpenClaw session files (default: ~/.openclaw/agents/{agent}/sessions/*.jsonl) to extract base64 image data and then POST that data to the SmartOCR API. Reading session files is within the stated purpose (to process images sent in chat), but it accesses potentially sensitive conversation history. The skill uploads raw image base64 to an external endpoint (default https://smartocr.yunlizhi.cn), so verify the endpoint and privacy policy before use.
Install Mechanism
There is no external install/download step—this is instruction+script based and only requires python3 and the requests library. No remote archive downloads or unusual install locations are used.
Credentials
At runtime the scripts require SMARTOCR_API_KEY (and optionally SMARTOCR_API_URL and OPENCLAW_HOME). The skill metadata did not declare SMARTOCR_API_KEY as a required env var/primary credential, which is a misleading omission. Requesting an API key to call an external service is proportionate for OCR, but the missing declaration reduces transparency. Also note the API key prefix 'sk-'—verify provider trust and key scope before use.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide configs. It reads session files under the user's OpenClaw home for its intended function, which is a significant but expected data access for this feature.
What to consider before installing
This skill will read your OpenClaw session files to extract images and upload those images (as Base64) to an external API (default: https://smartocr.yunlizhi.cn). Before installing: 1) Confirm you trust the SmartOCR provider and its handling of uploaded images and API keys. 2) Do not use sensitive images (IDs, private documents) until you verify the endpoint and privacy policy. 3) The skill omitted declaring SMARTOCR_API_KEY in its registry metadata—expect to set SMARTOCR_API_KEY in your OpenClaw env; consider using a scoped/test key. 4) If you prefer to avoid external uploads, run your own local SmartOCR instance and set SMARTOCR_API_URL to a localhost address. 5) Because the source/homepage is unknown, prefer running the scripts in a sandbox or reviewing/hosting them yourself rather than granting broad access immediately.Like a lobster shell, security has layers — review code before you run it.
latestvk97f303d2qgth6wye9246dx9dx83mvyn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis
Binspython3