TencentCloud YT Segment Portrait
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: tencentcloud-yt-segment-portrait Version: 1.0.2 The skill provides human portrait segmentation using the Tencent Cloud BDA API. While the core script (main.py) contains several copy-paste remnants from an audio recognition (ASR) skill—such as unused audio format maps and a function named 'call_asr'—the logic correctly implements the image segmentation request. It follows standard practices for OpenClaw skills, including environment-based credential management and automatic installation of the official Tencent Cloud SDK. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Images or image URLs you ask the skill to process may be transmitted to Tencent Cloud, and the returned signed result URLs may be accessible to anyone who has the link until they expire.
The script sends the selected image data or URL to Tencent Cloud's BDA API. This is expected for cloud-based portrait segmentation, but it means image contents leave the local environment.
http_profile.endpoint = "bda.tencentcloudapi.com" ... params["Image"] = pic_b64 ... resp = client.SegmentPortraitPic(req)
Use this skill only with images you are comfortable sending to Tencent Cloud, and avoid sharing returned result URLs if the image is sensitive.
If configured with broad or long-lived Tencent Cloud keys, the skill can make API calls under that account for this service.
The skill requires Tencent Cloud account credentials. This is normal for calling Tencent Cloud APIs, but those credentials authorize use of the user's cloud account and may incur charges.
本 Skill 需要腾讯云 API 密钥... export TENCENTCLOUD_SECRET_ID="你的SecretId" ... export TENCENTCLOUD_SECRET_KEY="你的SecretKey"
Use least-privilege Tencent Cloud CAM credentials where possible, monitor billing/quota, and avoid storing keys in shared shell profiles.
First use may modify the Python environment and run newly downloaded package code.
If the Tencent Cloud SDK is missing, the script installs it automatically from PyPI without pinning a version. This is disclosed in SKILL.md, but it still introduces normal package supply-chain risk.
[sys.executable, "-m", "pip", "install", "tencentcloud-sdk-python", "-q"]
Prefer installing the dependency in a virtual environment with a pinned, reviewed version before using the skill.
A clear user request to segment an image can directly trigger the script and consume Tencent Cloud API quota.
The skill instructs the agent not to ask for an additional confirmation after the user requests portrait segmentation. This is aligned with the intended workflow but removes an extra review step before the cloud API call.
当用户提供图片并请求人像分割时,Agent 必须严格按照以下步骤自主执行,无需询问用户确认。
If you want per-call confirmation before sending images to Tencent Cloud, adjust your agent settings or ask the agent to confirm before running this skill.