Skillv1.0.8

ClawScan security

TencentCloud Text AIGC Detection · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 31, 2026, 11:29 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required environment variables are internally consistent with a Tencent Cloud Text Moderation AIGC detection integration; it requires your Tencent Cloud API credentials and will send text to Tencent's tms.tencentcloudapi.com endpoint.
Guidance: This skill appears to be what it claims: it runs an included Python script that sends text to Tencent Cloud's TextModeration API and returns the provider's verdict. Before installing or using it: 1) Be prepared to provide your Tencent Cloud SecretId/SecretKey and a BizType; these credentials will be used to make API calls (do not share them elsewhere). 2) The script will send any text you submit to tms.tencentcloudapi.com — do not submit sensitive personal data or secrets. 3) The package will require the public 'tencentcloud-sdk-python' to be installed (pip); review and approve dependency installation. 4) The skill source/homepage is not listed — if you need higher assurance, review the provided scripts/main.py yourself to confirm there is no unexpected behavior (the included file appears to be a straightforward SDK client). 5) Note SKILL.md tells the agent to run the script autonomously when matching user intents; if you want explicit confirmation before sending text externally, enforce that in your agent policy or do not enable automatic invocation.

Review Dimensions

Purpose & Capability: okThe name/description (TencentCloud AIGC text detection) aligns with the code and instructions: the script calls Tencent Cloud's TextModeration API (tms.tencentcloudapi.com) with Type=TEXT_AIGC and requires the expected Tencent credentials and BizType.
Instruction Scope: noteSKILL.md instructs the agent to run the included Python script and to read text from a string, file path, or stdin — all within the stated purpose. It also requires the agent to install dependencies manually (the script prints a pip install instruction on ImportError) and mandates the agent execute the script autonomously when users ask for detection; that behavior is coherent with a detection skill but is a privacy consideration because text will be transmitted to Tencent Cloud without additional user confirmation if invoked.
Install Mechanism: okNo install spec is provided (instruction-only). The included script depends on the public 'tencentcloud-sdk-python' package and simply prompts the user to pip install it if missing. No downloads from untrusted URLs or archive extraction are present in the repository.
Credentials: okThe only required environment variables are TENCENTCLOUD_SECRET_ID, TENCENTCLOUD_SECRET_KEY and a BizType (plus optional TENCENTCLOUD_TOKEN), which are appropriate and expected for calling Tencent Cloud APIs. No unrelated credentials or broad system paths are requested.
Persistence & Privilege: okThe skill does not request persistent installation privileges or 'always' inclusion. It contains no code to modify other skills or global agent settings. Note: the skill allows autonomous invocation (platform default), and SKILL.md instructs the agent to run the script automatically when a detection intent is detected — this is expected for a callable detection skill but has privacy implications.