v1.1.16

夸克扫描王转Office - yescan transoffice universal

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:36 AM.

Analysis

The skill appears purpose-aligned for converting user-provided images through Quark's OCR service, but it requires an API key, uploads images to Quark, and leaves converted files in temporary storage until cleaned.

GuidanceThis skill is coherent and disclosed for its purpose. Before installing, confirm you are comfortable sending the selected images to Quark's scanning service, keep SCAN_WEBSERVICE_KEY protected, and remove generated files from the temporary directory after use if they contain sensitive information.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

python3 scripts/scan.py --scene "${SCENE_VALUE}" --path "${IMAGE_FILE_PATH}" ... 直接执行命令，不增删任何参数

The skill directs the agent to run a local Python command using the user-provided URL, file path, or base64 image input. This is central to the skill and is constrained to fixed scenes, but users should recognize that invocation reads and processes the specified input.

User impactIf the user points the skill at an image file, that file will be read and submitted for conversion.

RecommendationOnly provide image paths, URLs, or base64 content that you intentionally want converted, and avoid pointing it at unrelated private files.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/common/ocr_client.py

api_key = os.getenv("SCAN_WEBSERVICE_KEY", "").strip() ... "aiApiKey": self.api_key

The skill requires a Quark scanning service API key and sends it to the configured Quark API endpoint as part of normal operation.

User impactThe key may authorize usage of the user's Quark scanning account or quota.

RecommendationStore the key only in the scoped OpenClaw skill environment, rotate it if exposed, and use a key with the minimum appropriate permissions or quota.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

本技能会将您提供的图片发送至夸克扫描王官方服务器 (`scan-business.quark.cn`) 进行识别。

The skill clearly discloses that image contents are sent to an external provider for OCR/conversion, which is expected for this service but privacy-relevant.

User impactImages may contain contracts, reports, IDs, or other sensitive content that will be processed outside the local environment.

RecommendationUse the skill only for documents you are authorized and comfortable sending to Quark's service, and review the provider's privacy and retention terms if the data is sensitive.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

识别返回的文件会保存至系统临时目录（如 `/tmp`），这些文件将持续存在直到您手动清理

Converted output files may contain extracted document content and are intentionally retained on local temporary storage until the user removes them.

User impactConverted documents can remain on the machine after the task, which may matter on shared or sensitive systems.

RecommendationDelete the generated files from the temporary directory when no longer needed, especially after converting sensitive documents.