ClawHub
Back to skill
v1.0.0

dmxapi-image-recognition

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:30 AM.

Analysis

This skill is coherent for image recognition, but users should notice that it relies on a third-party CLI, stores a DMXAPI key, and uploads chosen images to an external API.

GuidanceThis appears appropriate for DMXAPI-based image recognition. Before installing or using it, verify the dmxapi-cli package, protect the configured API key, and do not upload private IDs, contracts, screenshots, or other sensitive images unless you are comfortable with DMXAPI processing them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
npm install -g dmxapi-cli

The skill asks the user to install a global third-party CLI package, and the artifact does not pin a version. This is central to the skill's purpose but should be treated as a package trust/provenance consideration.

User impactInstalling the CLI gives that npm package code a place in the user's local environment.
RecommendationInstall dmxapi-cli only from a trusted source, consider pinning or verifying the package version, and review npm package trust before use.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
dmxapi config set apiKey sk-your-api-key

The skill requires configuring a DMXAPI API key for the CLI. This credential use is expected for the DMXAPI integration, but it is still account access material.

User impactAnyone or anything able to use the configured CLI may be able to make requests against the user's DMXAPI account.
RecommendationUse a dedicated API key if possible, keep it out of shared logs or screenshots, and revoke or rotate it if it is exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
SKILL.md
本地图片文件会自动转换为 base64 data URL 上传 ... 从身份证图片中提取姓名和身份证号

The skill explicitly uploads local images to the external DMXAPI service, and its examples include sensitive document/image use cases such as extracting ID-card information.

User impactPrivate images, documents, screenshots, or ID-card contents may be sent to DMXAPI and downstream model providers for processing.
RecommendationOnly analyze images you are comfortable sending to DMXAPI, avoid uploading highly sensitive documents unless permitted, and check DMXAPI's data handling terms for retention and provider sharing.