batch-id
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the configured Tencent Cloud credentials to call OCR APIs, which may create account usage, costs, or audit obligations.
The skill requires Tencent Cloud API credentials. This is expected for Tencent OCR, but it grants the skill delegated access to the user's Tencent account and OCR quota.
config:
- name: "tencent-secret-id"
type: "password"
required: true
- name: "tencent-secret-key"
type: "password"
required: trueUse a dedicated least-privilege Tencent CAM subaccount or key limited to the needed OCR capability, monitor usage, and rotate the key if the skill is removed.
ID-card images or image URLs, plus extracted name, sex, and ID number, may be handled by Tencent Cloud during OCR processing.
The code sends each provided ID-card image URL to Tencent Cloud OCR. This is central to the skill, but it means sensitive identity-document data is processed by an external provider.
req.from_json_string(json.dumps({"ImageUrl": url, "CardSide": "FRONT"}))
resp = client.IDCardOCR(req)Only use the skill for documents you are authorized to process, confirm Tencent Cloud handling is acceptable for your privacy/compliance needs, and avoid submitting unnecessary documents.
The generated attachment contains names, genders, and ID numbers and should be treated as a sensitive file after download or sharing.
The skill writes extracted identity details to a local temporary text file so OpenClaw can return it. This is purpose-aligned, but the file contains sensitive PII.
file_path = "/tmp/身份证提取结果.txt"
with open(file_path, "w", encoding="utf-8") as f:
f.write(final_file_text)Store the output securely, delete it when no longer needed, and avoid sharing the generated text file in broad or public channels.
Future dependency versions could introduce compatibility changes or new supply-chain risk even though the current source code is straightforward.
The dependency is specified with only a lower bound. The Tencent SDK is expected for the skill’s purpose, but unpinned dependencies can change behavior across installs.
tencentcloud-sdk-python>=3.0.0
Prefer pinning a reviewed Tencent SDK version and using a lockfile or trusted package source for repeatable installs.