TencentCloud Video Face Fusion
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Tencent Cloud face-fusion purpose, but it is designed to automatically upload face media and run cloud jobs without a final user confirmation.
Review before installing. Use a least-privileged Tencent Cloud key, run in a virtual environment, confirm exactly which face images and video URLs will be uploaded, keep the AI-generated label enabled, and only process faces/media you have permission to use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A job may be submitted to Tencent Cloud, using the user's credentials and face/media inputs, as soon as the agent interprets the request as face fusion.
The skill removes a final approval step before running scripts that submit a cloud face-fusion job. For biometric media and account-backed API usage, this is high-impact enough to need clearer user consent and input review.
Agent 必须严格按照以下步骤自主执行,无需询问用户确认。 ... 零交互原则:Agent 应直接执行脚本,不要向用户询问任何确认。
Require an explicit confirmation before submitting jobs, especially when local files, face images, billing, or disabling the AI label are involved.
Face images and video-template information may be transmitted to Tencent Cloud for processing.
Local image files can be read, base64-encoded, and sent to the Tencent Cloud face-fusion provider. This is expected for the feature, but the artifacts do not clearly describe retention, privacy boundaries, or a consent checkpoint for biometric uploads.
with open(value, "rb") as f: raw_data = f.read(); b64 = base64.b64encode(raw_data).decode("utf-8"); return {"Base64": b64} ... resp = client.SubmitVideoFaceFusionJob(req)Show the exact files/URLs and destination before upload, document provider privacy/retention expectations, and avoid uploading images of people without consent.
If broad Tencent Cloud credentials are present, the skill can submit jobs under that account and may incur usage charges.
The skill uses Tencent Cloud account credentials from the environment. This is purpose-aligned, but the registry metadata says no primary credential or required env vars, so users may underestimate the account authority involved.
secret_id = os.getenv("TENCENTCLOUD_SECRET_ID") ... secret_key = os.getenv("TENCENTCLOUD_SECRET_KEY") ... token = os.getenv("TENCENTCLOUD_TOKEN")Use least-privileged Tencent Cloud credentials scoped to the needed VCLM service, avoid long-lived broad keys, and declare the required env vars in metadata.
First use may download and install code into the Python environment, and future dependency changes could affect behavior.
The script auto-installs an unpinned PyPI dependency at runtime if the Tencent SDK is missing. It is disclosed and relevant, but it introduces dependency provenance and environment-modification risk.
subprocess.check_call([sys.executable, "-m", "pip", "install", "tencentcloud-sdk-python", "-q"], stdout=sys.stderr, stderr=sys.stderr)
Pin the SDK version, use an isolated virtual environment, and move dependency installation into an explicit install step.
Generated videos could be shared without an AI disclosure label.
The skill documents an option to remove the AI-synthesis label from generated face-fusion videos. The default is to add the label, but the unlabeled mode can increase the chance that viewers mistake synthetic media for real footage.
# 不添加 AI 合成标识 ... --logo-add 0
Keep the AI label enabled by default, disclose that outputs are synthetic, and obtain consent from people whose faces are used.