Skin Pro
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skin-analysis skill mostly matches its stated purpose, but its helper script can redirect face photos and API auth headers to any endpoint instead of only the documented provider.
Review this skill before installing. Only use it if you trust RageHealth with face photos, keep the API keys out of chats, avoid using --endpoint, and do not enable face ID detection unless necessary. Treat results as informational, not medical diagnosis.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command or prompt-influenced invocation could send a face photo and API auth headers to an unintended server.
The documented workflow names a fixed RageHealth URL, but the script allows any endpoint and sends the access key/signature headers and image data to that endpoint.
parser.add_argument("--endpoint", default=DEFAULT_ENDPOINT) ... requests.post(endpoint, headers=headers, data=data, files=files, timeout=timeout)Remove the endpoint override, restrict it to an allowlist such as facepro.ragehealth.cn, or require explicit user confirmation before any non-default endpoint is used.
Anyone with access to the configured environment could use the RageHealth API credentials for this account.
The helper uses provider credentials from environment variables. This is expected for the API integration and the code avoids CLI credential arguments, but users still need to protect these keys.
ak = os.getenv("SKIN_PRO_AK")
sk = os.getenv("SKIN_PRO_SK") ... "They must NOT be passed as CLI args."Store SKIN_PRO_AK and SKIN_PRO_SK in a proper secret manager or trusted environment, do not paste them into prompts, and declare the env vars in registry metadata.
The user's face photo and derived skin-analysis information leave the local environment and are processed by RageHealth.
The skill sends user face images, and optionally face-ID grouping data, to a third-party provider for analysis. This is disclosed and purpose-aligned, but it is sensitive data.
URL:`https://facepro.ragehealth.cn/openapi-test/face/skin-pro` ... `imageFile` | File ... 图片二进制 ... `faceIdDetect`
Use only photos the user is comfortable sending to RageHealth, get consent for other people's faces, and avoid enabling faceIdDetect unless needed.