Skin Pro
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: skin-pro Version: 1.0.0 The 'skin-pro' skill is a legitimate integration for a professional skin analysis service. The core logic in `scripts/call_skin_pro.py` handles image uploads and API authentication (AES-CBC signature generation) to a specific endpoint (facepro.ragehealth.cn) using environment variables for credentials. The instructions in `SKILL.md` are well-structured, focusing on input validation and result interpretation without any signs of malicious intent, data exfiltration, or harmful prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command or prompt-influenced invocation could send a face photo and API auth headers to an unintended server.
The documented workflow names a fixed RageHealth URL, but the script allows any endpoint and sends the access key/signature headers and image data to that endpoint.
parser.add_argument("--endpoint", default=DEFAULT_ENDPOINT) ... requests.post(endpoint, headers=headers, data=data, files=files, timeout=timeout)Remove the endpoint override, restrict it to an allowlist such as facepro.ragehealth.cn, or require explicit user confirmation before any non-default endpoint is used.
Anyone with access to the configured environment could use the RageHealth API credentials for this account.
The helper uses provider credentials from environment variables. This is expected for the API integration and the code avoids CLI credential arguments, but users still need to protect these keys.
ak = os.getenv("SKIN_PRO_AK")
sk = os.getenv("SKIN_PRO_SK") ... "They must NOT be passed as CLI args."Store SKIN_PRO_AK and SKIN_PRO_SK in a proper secret manager or trusted environment, do not paste them into prompts, and declare the env vars in registry metadata.
The user's face photo and derived skin-analysis information leave the local environment and are processed by RageHealth.
The skill sends user face images, and optionally face-ID grouping data, to a third-party provider for analysis. This is disclosed and purpose-aligned, but it is sensitive data.
URL:`https://facepro.ragehealth.cn/openapi-test/face/skin-pro` ... `imageFile` | File ... 图片二进制 ... `faceIdDetect`
Use only photos the user is comfortable sending to RageHealth, get consent for other people's faces, and avoid enabling faceIdDetect unless needed.