ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

讯飞票据识别

v1.0.0

Recognize and extract structured data from invoices, receipts, and bills using iFlytek OCR API (科大讯飞票据识别). Supports VAT invoices, taxi receipts, train ticket...

0· 98·0 current·0 all-time
byIflytek AIcloud@qingzhe2020
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description, SKILL.md, and scripts/invoice.py all consistently implement iFlytek (讯飞) invoice OCR and call the documented API endpoint (api.xf-yun.com). However, the registry metadata shows no required environment variables while both the documentation and code require XFEI_APP_ID, XFEI_API_KEY, and XFEI_API_SECRET — a coherence mismatch that should be corrected.
Instruction Scope
SKILL.md instructs the user to run scripts/invoice.py and to set the three XFEI env vars. The runtime instructions and code only read the provided image file and the three credentials and make a POST to the iFlytek API; they do not access other system files or unrelated services. One minor caution: SKILL.md includes explicit echo commands to print environment variables for debugging, which could expose secrets if run in an unsafe/shared environment.
Install Mechanism
Instruction-only skill with no install spec and no external downloads. The included Python script uses only standard library modules; nothing will be written to disk beyond the normal runtime behavior.
Credentials
Requiring XFEI_APP_ID, XFEI_API_KEY, and XFEI_API_SECRET is proportionate to the stated purpose (signed API calls). The concern is that the registry metadata did not declare those required env vars; this omission can mislead users about what secrets they'll need to provide and trust the skill with.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system configuration. It runs as an on-demand script and uses environment variables for credentials.
What to consider before installing
This skill appears to genuinely implement iFlytek invoice OCR, but the package metadata omitted the three required environment variables. Before installing: 1) Confirm the registry entry is updated to declare XFEI_APP_ID, XFEI_API_KEY, and XFEI_API_SECRET. 2) Only supply credentials that are scoped/minimal (use a dedicated/test account if possible). 3) Do not run the SKILL.md echo debug lines in a shared environment (they print secrets). 4) Test with non-sensitive images first and verify the endpoint (https://api.xf-yun.com/v1/private/sc45f0684) and your account limits/costs. 5) If you need stronger assurance, request the publisher to explain why metadata lacks env var declarations and to provide a homepage/source repository for review.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fw7a601rh8dcptf550syjxh834be8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments