Ekyc Suite

This skill is plausibly what it claims: it calls Tencent Cloud eKYC and media-labeling endpoints and needs two sets of API credentials. Key issues you should consider before installing: - Sensitive outputs: The scripts perform OCR and will obtain names, ID numbers, and bank card numbers from images. SKILL.md tells the agent not to accept personal text inputs and shows masked examples, but there is no guaranteed automatic redaction in the code. Ask the author (or modify the skill) to enforce redaction of ID/bank numbers before any text is returned to users, or implement an explicit policy that blocks returning raw PII. - Credentials: Provide only test credentials as the docs advise. These credentials let the skill make upstream API calls that transmit the image/video data to Tencent Cloud; use least privilege and avoid putting production keys in the environment. - Data flow & compliance: The skill transmits base64-encoded images/videos to third-party endpoints. Confirm the upstream provider's data retention and legal compliance policies before sending any real user biometric data. - Operational safety: The code blocks private/internal URLs for SSRF and enforces file size limits, which is good. Still, run the skill in a controlled environment (sandbox) and verify behavior with test data first. What would raise confidence to 'benign': an explicit, auditable redaction step (or config option) that strips or masks PII from OCR outputs before any text response; and a clear statement in the package that the skill will never return unmasked identifiers. If you cannot get that guarantee, treat the skill as risky for handling unredacted PII.