TencentCloud Image Face Fusion
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it claims—use Tencent Cloud to fuse user-provided face images—but it uploads those images to Tencent, uses Tencent credentials, and may install an SDK on first run.
Before installing, confirm you are comfortable sending the selected face images to Tencent Cloud and using your Tencent account quota. Consider pre-installing the SDK yourself, use a limited API key, keep the AI label enabled by default, and avoid persisting secrets in plaintext shell startup files unless you understand the tradeoff.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
User-provided face and template images leave the local environment and the generated result is returned as a Tencent-hosted URL.
The script sends the selected face-fusion inputs to Tencent Cloud's FaceFusion API; local image files are read and base64-encoded before being placed into API parameters.
http_profile.endpoint = "facefusion.tencentcloudapi.com"
Only use images you are comfortable sending to Tencent Cloud, and treat the returned image URL as sensitive while it remains valid.
API calls may consume quota or incur charges under the configured Tencent Cloud account.
The script uses Tencent Cloud account credentials from environment variables to call the API. This is expected for the provider integration, but users should understand it delegates account authority to the skill.
secret_id = os.getenv("TENCENTCLOUD_SECRET_ID")
secret_key = os.getenv("TENCENTCLOUD_SECRET_KEY")Use a least-privileged Tencent Cloud key, rotate it if exposed, and avoid storing long-lived secrets in shell profiles unless necessary.
First use may modify the local Python environment and depends on the currently available package version.
If the Tencent SDK is missing, the script automatically installs an unpinned package from the Python package ecosystem at runtime.
[sys.executable, "-m", "pip", "install", "tencentcloud-sdk-python", "-q"]
Prefer pre-installing and pinning the Tencent SDK in a controlled environment if reproducibility or supply-chain control matters.
A clearly requested face-fusion task may run immediately, uploading images and using API quota without an additional prompt.
The skill instructs the agent not to ask for an extra confirmation after the user provides images and requests face fusion.
零交互原则:Agent 应直接执行脚本,不要向用户询问任何确认。
Users should invoke it only when they intend to send the selected images to Tencent; agents should still ask clarifying questions when the requested images, consent, or cost are ambiguous.
Generated face-fusion images can be produced without an AI label if that option is used, which may affect how others interpret the image.
The default adds an AI-synthesis marker, but the documented option can disable that marker.
`--logo-add` ... 是否添加AI合成标识(0:不添加, 1:添加),默认1
Keep the AI-synthesis marker enabled unless there is a legitimate reason to remove it, and disclose synthetic images when sharing them.