License Plate Reader
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent for license-plate OCR, but it sends user-selected images and a TrafficEye API key to an external API, so users should confirm they trust that service and endpoint.
This appears safe for its stated purpose if you trust TrafficEye and the packaged helper. Before installing, confirm the API endpoint is the real TrafficEye endpoint, use header or bearer authentication where possible, and avoid uploading images that contain sensitive license plates, locations, or people unless you are comfortable with third-party processing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your TrafficEye API key will be used to authenticate recognition requests, and a misconfigured auth mode or endpoint could expose that key.
The skill uses a provider credential and supports multiple credential transport modes. This is expected for TrafficEye API access, but query or form transport can expose keys more easily than header/bearer modes if selected.
`TRAFFICEYE_API_KEY`: required unless passed explicitly to the helper. ... `TRAFFICEYE_API_KEY_MODE`: one of `header`, `bearer`, `form`, `query`. Default: `header`.
Use the default header mode when possible, keep the API key scoped to TrafficEye use, and only set a custom API URL or query/form key mode if your deployment specifically requires it.
Images you provide may leave your local environment and be processed by TrafficEye.
The core workflow sends a local image to an external provider. This is purpose-aligned for license-plate OCR, but images and plate text can be privacy-sensitive.
Uploads the image to the TrafficEye recognition API.
Only use this skill with images you are allowed to upload, and confirm TrafficEye's privacy and retention terms if the images contain personal, business, or location-sensitive information.
You have less independent provenance information for the helper code beyond the packaged artifact and publisher metadata.
The registry metadata does not identify a source repository or provenance for the bundled helper. This is a provenance gap, not evidence of malicious behavior.
Source: unknown
Review the bundled helper before installing in sensitive environments and prefer trusted publisher or source-linked releases when available.