ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

China Vision

v1.0.1

多模态图片理解工具。Use when user wants to analyze, describe, or understand images using AI vision models. Supports scene analysis, object recognition, chart interpret...

0· 98·0 current·0 all-time
by@tobewin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (image understanding) matches what the SKILL.md does: it base64-encodes images or forwards image URLs and calls https://api.siliconflow.cn with model Qwen2.5-VL-72B. Required binaries (curl, python3) and the SILICONFLOW_API_KEY are appropriate and expected.
Instruction Scope
Instructions tell the agent to read local image files (base64-encode) or forward image URLs and POST them to siliconflow.cn. This is expected for an image-analysis skill, but it does mean user image data (and any image-accessible URLs) will be transmitted to a third party — a privacy/exfiltration consideration. The SKILL.md does not instruct reading other system files or unrelated environment variables.
Install Mechanism
No install spec and no code files — instruction-only skill. This lowers installation risk because nothing is downloaded or written to disk by the skill itself.
Credentials
Only a single API credential (SILICONFLOW_API_KEY) is required and used in the examples. That is proportionate to the declared purpose. No other sensitive env vars or unrelated credentials are requested.
Persistence & Privilege
always:false and no instructions to modify agent or system configuration. The skill does not request permanent presence or elevated privileges.
Assessment
This skill sends images (as base64 data or external image URLs) to the siliconflow.cn API using your SILICONFLOW_API_KEY. Before installing or using it: 1) Only send non-sensitive images (no IDs, private documents, personal photos you wouldn't want shared). 2) Treat SILICONFLOW_API_KEY as a secret: store it securely, monitor usage, and be ready to rotate it if abused. 3) Be cautious when supplying image URLs — if you point to internal resources, those URLs or fetched content could be exposed to the external API. 4) Verify you trust the siliconflow.cn service (check their privacy/security policy and billing). 5) If you need on-device or more privacy-preserving analysis, consider local models or self-hosted alternatives instead of this cloud API.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c2kx5jktdqxqsc9pt3vq1wx83n7zx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👁️ Clawdis
Binscurl, python3
EnvSILICONFLOW_API_KEY
Primary envSILICONFLOW_API_KEY

Comments