Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Declared purpose is fixed‑amount invoice OCR and the code/skilled instructions call an OCR endpoint (https://api.scnet.cn/api/llm/v1/ocr/recognize) using an API key; this is coherent. However the registry metadata at the top of the report claimed no required env vars while SKILL.md and skill.yaml correctly declare SCNET_API_KEY as required—this mismatch is a packaging/documentation inconsistency.
Instruction Scope
SKILL.md and scripts/main.py limit actions to reading a local image file, loading SCNET_API_KEY (from env or config/.env), and making a multipart POST to the official Scnet OCR endpoint. The script prints JSON results and exits on errors. There are no instructions to read unrelated files, transmit data to third‑party endpoints beyond api.scnet.cn, or perform other system probing.
Install Mechanism
This is an instruction-only skill with a small Python script and no install spec; it only requires Python and the requests library (pip install requests). No remote archives or arbitrary downloads are executed by the skill itself.
Credentials
The skill requires a single service credential (SCNET_API_KEY) and optionally SCNET_API_BASE, which is appropriate for an HTTP API client. The concerning bit is the top-level registry metadata in the report that listed no required env vars while both SKILL.md and skill.yaml require SCNET_API_KEY—this mismatch should be resolved before trusting metadata-driven installs.
Persistence & Privilege
always:false and the skill does not request persistent/system-wide changes or alter other skills. It does not enable any elevated or always‑loaded behavior.
Assessment
This skill is internally consistent with its stated purpose: it reads a local image and uploads it to api.scnet.cn using a SCNET_API_KEY. Before installing, verify the source (the skill lists a GitHub homepage placeholder in skill.yaml—confirm the real repository), and fix the metadata discrepancy (registry saying no env vars vs. files declaring SCNET_API_KEY). Only provide a scoped API key you trust; do not paste the key into chat. Consider running the script in an isolated environment or container, restrict the API key permissions if possible, and review the small Python script yourself (it is included) to confirm there are no changes you object to. If you want higher assurance, ask the publisher to correct the registry metadata and provide a verifiable upstream repository URL.Like a lobster shell, security has layers — review code before you run it.
latestvk9737v131g2rmmx94d0nj0mbs184ywjq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.