Tcm Face Tongue
AdvisoryAudited by Static analysis on May 8, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Face/tongue photos and related health analysis may leave the local environment and be processed by the external provider.
The skill sends user face/tongue images to an external RageHealth API. This is disclosed and central to the purpose, but the images and returned health-related analysis are sensitive.
网关:`https://facepro.ragehealth.cn/openapi-test` ... `POST` + `multipart/form-data` ... `imageUrl` 或 `imageFile`
Use only with consent from the person in the photos, verify whether the test or production endpoint is appropriate, and review RageHealth’s privacy/data-retention terms before use.
Anyone who can access the runtime environment or .env files may be able to use the configured RageHealth credentials.
The script uses RageHealth API credentials from environment variables or .env loading. This is expected for the API integration, but the registry metadata does not declare required credentials.
ak = os.getenv("TCM_AK")
sk = os.getenv("TCM_SK")Keep TCM_AK/TCM_SK out of prompts and shared logs, store .env files securely, and rotate credentials if they may have been exposed.
Saved JSON files may contain sensitive biometric and health-related information that could be reused or exposed later.
When an output file is requested, the full response may persist detailed biometric landmarks and health analysis locally.
大字段(默认会被脚本从 stdout 剥离,仅 `--output` 文件保留):`landmarks` / `raw_landmarks`
Write outputs only to trusted locations, avoid sharing the full JSON unless necessary, and delete stored results when no longer needed.
Future dependency versions could change behavior or introduce vulnerabilities if installed without review.
Dependencies use lower-bound version ranges rather than exact pins. These are common packages and align with the purpose, but exact versions are not locked.
requests>=2.28 pycryptodome>=3.18 python-dotenv>=1.0
Install dependencies from a trusted package index and consider pinning reviewed versions in controlled environments.