Back to skill
Skillv0.9.41
ClawScan security
Baidu Yijian Vision · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 8:31 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested environment variable (YIJIAN_API_KEY) align with a Baidu Yijian vision integration; nothing requests unrelated credentials or installs arbitrary remote artifacts.
- Guidance
- This skill is coherent with its description, but be aware: using it will transmit image and video data (and any embedded metadata) to Baidu Yijian endpoints (yijian-next.cloud.baidu.com and yijian.baidubce.com). Provide YIJIAN_API_KEY only if you trust that service and understand its data handling/privacy policy. The tool caches some metadata under the OS temp directory (cache filenames include a short hash derived from your API key — not the key itself). If you need to avoid external data transfer, do not run these scripts or use a local-only processing alternative. Finally, installing optional native deps (e.g., sharp) may require a native build environment; review package.json and run the scripts only in a controlled environment.
Review Dimensions
- Purpose & Capability
- okName/description (Baidu Yijian vision) match the code and instructions: Node scripts call Yijian router/query/run and multimodal endpoints. Required binary (node) and primary env var (YIJIAN_API_KEY) are appropriate for the stated purpose.
- Instruction Scope
- okRuntime instructions and scripts operate on images/videos, construct ROI/tripwire overlays, query router and invoke skills, and fall back to multimodal inference. They read local image files (to embed/measure them) and send image data to Baidu endpoints — which is expected for a vision service.
- Install Mechanism
- okNo install spec is provided and the package is instruction/code-only. There are no downloads from arbitrary URLs or extract/install steps; dependencies are standard Node modules (sharp is optional). Risk from installation is low.
- Credentials
- okThe only required environment variable is YIJIAN_API_KEY (declared as primaryEnv). No other secret env vars or unrelated credentials are requested. The code uses the key for Authorization to expected Baidu domains.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system-wide settings. It runs as invoked and can be invoked autonomously (platform default), which is normal for skills.