TencentCloud YT Segment Portrait
v1.0.2Binary classification-based human portrait segmentation for complete body contour recognition and image matting.
⭐ 0· 286·1 current·1 all-time
by败毒@neck-cn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code and SKILL.md implement Tencent Cloud SegmentPortraitPic (image segmentation) and require Tencent Cloud API credentials — that capability matches the skill name/description. However the registry metadata declares no required environment variables or primary credential while both the instructions and the script require TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY. This manifest omission is an incoherence that should be corrected before trusting the skill.
Instruction Scope
SKILL.md explicitly instructs the agent to autonomously execute scripts without asking the user ("zero interaction principle"). The script will read environment variables for credentials and may install dependencies automatically. The SKILL.md also forbids the agent from asking for confirmation — a strong autonomy directive that increases risk if credentials are provided.
Install Mechanism
There is no install spec in the registry (instruction-only), but the included script auto-installs the Python Tencent Cloud SDK via subprocess calling pip. Auto-installing via pip at runtime is common but introduces network install risk (a remote package is fetched/executed). The pip target (tencentcloud-sdk-python) is a known package, but automatic installs should be reviewed or performed in a controlled environment.
Credentials
The script requires TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY (and optionally TENCENTCLOUD_TOKEN) — these are the appropriate, minimal credentials for calling Tencent Cloud APIs. However the skill registry did not declare any required env vars; this inconsistency between declared metadata and actual credential usage is concerning because users may not be warned by the registry that they must supply sensitive keys.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. However SKILL.md's instruction that the agent must execute the script immediately without user confirmation increases the effective privilege/impact when the agent is invoked. The skill does not attempt to modify other skills or system-wide configurations.
What to consider before installing
Before installing or enabling this skill:
- Do not supply long-lived production credentials without review. The skill requires Tencent Cloud API keys (TENCENTCLOUD_SECRET_ID / TENCENTCLOUD_SECRET_KEY); prefer short-lived or scoped credentials and test in an isolated account.
- Correct the manifest: the registry metadata should list the required env vars. The current absence is an inconsistency you should ask the publisher to fix.
- Note the SKILL.md demands autonomous execution without user confirmation. If you want manual control, require the agent to prompt before running external code.
- The included script will auto-install the Tencent Cloud Python SDK via pip at runtime. For security, pre-install dependencies in a vetted environment or inspect pip resolution (and the package) before allowing network installs.
- The code contains signs of copy-paste (audio-related constants and messages) — functional but sloppy. Test the skill in a sandbox to verify behavior and outputs.
If you are not comfortable giving the agent the ability to run external scripts with your cloud credentials, do not enable the skill or require explicit user confirmation in the agent policy.Like a lobster shell, security has layers — review code before you run it.
latestvk9748dfkxvqwvxkyccp73dcfmn82dm9p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.