试验图片数据提取
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Images may contain private or business data and will be sent to a third-party service for processing.
The selected image file is uploaded to an external Ketop API with an API key. This is consistent with the OCR/table-extraction purpose, but it means image contents leave the local environment.
url = "https://kpp.ketop.cn/Api/KpAiImgTbApi?act=imgtb"
header = {
"X-API-Key": f"{ketop_key}"
}
response = requests.post(url,headers=header,files=files)Use this only for images you are comfortable sending to Ketop, and review that provider's privacy and retention terms.
A Ketop API key may be requested and used on the user's behalf.
The skill expects a Ketop access key and suggests saving it. Provider credentials are expected for this integration, but users should handle the key carefully.
检查是否存在访问密钥KETOP_KEY_TOKEN,如果没有密钥,提示用户向开普检测申请密钥,并等带用户提供密钥,获得有效密钥并保存
Provide the key only through a secure environment variable or approved secret store, avoid placing it in chat, and revoke it if no longer needed.
If allowed, the agent may run the helper script against the image path the user provides.
The skill documents running an included local Python helper script. This is central to the skill's purpose and the script is short and readable, but it is still local code execution.
python scripts/imgread.py -f imgpath
Allow execution only for the intended image file and review the helper script before use in sensitive environments.