Back to skill
Skillv1.0.3
ClawScan security
Bus Ticket Ocr · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 5:38 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with an OCR-for-bus-tickets purpose: it requires a single SCNET API key, uses a contained Python script to POST the provided image to Scnet's OCR endpoint, and does not request unrelated credentials or perform unexpected local/system access.
- Guidance
- This skill will send any image file path you provide to Scnet's OCR API and requires an SCNET_API_KEY. Before installing, verify you trust the Scnet service and are comfortable sending those images off-host (do not send sensitive personal data unless you accept that). Correct the metadata mismatch: the registry should declare SCNET_API_KEY as required so the platform can surface the credential prompt. Store the API key securely (use environment variable or config/.env with permissions 600 as recommended) and never paste it into chat. If you need to keep images local, do not use this skill; consider an offline OCR alternative. Finally, note the skill's homepage entry in skill.yaml appears to be a placeholder — if provenance matters, ask the publisher for an authoritative source repository or documentation.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (bus ticket OCR) align with the included code and SKILL.md which call Scnet's OCR API. One inconsistency: the registry metadata at the top of the submission reported "Required env vars: none", but both SKILL.md, skill.yaml, and scripts/main.py require SCNET_API_KEY (and optionally SCNET_API_BASE). This discrepancy is likely a packaging/metadata error and should be corrected.
- Instruction Scope
- okSKILL.md and the script limit actions to reading a local image file path supplied by the user, loading SCNET_API_KEY from env or config/.env, and POSTing the file to https://api.scnet.cn/api/llm/v1/ocr/recognize. The instructions and code do not attempt to read other system files or unrelated environment variables. Note: the skill will transmit the user-supplied image to an external API (Scnet) — this is expected for an OCR service but is a privacy consideration for sensitive images.
- Install Mechanism
- okNo install spec — the skill is instruction-only with an included Python script. Dependencies are minimal (python3, requests) and there is no remote download or archive extraction. This is low-risk from an install perspective.
- Credentials
- noteThe only required credential is SCNET_API_KEY (plus optional SCNET_API_BASE). That is proportionate to the stated functionality. Again, the registry metadata incorrectly listed no required env vars while the skill actually requires SCNET_API_KEY; ensure the platform prompts for this credential before use.
- Persistence & Privilege
- okThe skill does not request permanent/always-on presence and does not modify other skills or system configuration. It runs as a normal invocable skill and only reads/writes within its own skill directory (reads config/.env if present).