TencentCloud YT Segment Portrait
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to perform the advertised Tencent Cloud portrait segmentation, with expected notes for cloud image upload, API credentials, and runtime SDK installation.
This skill looks coherent and purpose-aligned. Before installing, make sure you are comfortable sending selected images to Tencent Cloud, use limited Tencent Cloud credentials, watch for API costs, and consider preinstalling the Tencent SDK in a pinned virtual environment instead of relying on runtime auto-installation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Images or image URLs you ask the skill to process may be transmitted to Tencent Cloud, and the returned signed result URLs may be accessible to anyone who has the link until they expire.
The script sends the selected image data or URL to Tencent Cloud's BDA API. This is expected for cloud-based portrait segmentation, but it means image contents leave the local environment.
http_profile.endpoint = "bda.tencentcloudapi.com" ... params["Image"] = pic_b64 ... resp = client.SegmentPortraitPic(req)
Use this skill only with images you are comfortable sending to Tencent Cloud, and avoid sharing returned result URLs if the image is sensitive.
If configured with broad or long-lived Tencent Cloud keys, the skill can make API calls under that account for this service.
The skill requires Tencent Cloud account credentials. This is normal for calling Tencent Cloud APIs, but those credentials authorize use of the user's cloud account and may incur charges.
本 Skill 需要腾讯云 API 密钥... export TENCENTCLOUD_SECRET_ID="你的SecretId" ... export TENCENTCLOUD_SECRET_KEY="你的SecretKey"
Use least-privilege Tencent Cloud CAM credentials where possible, monitor billing/quota, and avoid storing keys in shared shell profiles.
First use may modify the Python environment and run newly downloaded package code.
If the Tencent Cloud SDK is missing, the script installs it automatically from PyPI without pinning a version. This is disclosed in SKILL.md, but it still introduces normal package supply-chain risk.
[sys.executable, "-m", "pip", "install", "tencentcloud-sdk-python", "-q"]
Prefer installing the dependency in a virtual environment with a pinned, reviewed version before using the skill.
A clear user request to segment an image can directly trigger the script and consume Tencent Cloud API quota.
The skill instructs the agent not to ask for an additional confirmation after the user requests portrait segmentation. This is aligned with the intended workflow but removes an extra review step before the cloud API call.
当用户提供图片并请求人像分割时,Agent 必须严格按照以下步骤自主执行,无需询问用户确认。
If you want per-call confirmation before sending images to Tencent Cloud, adjust your agent settings or ask the agent to confirm before running this skill.