Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TencentCloud VITA
v1.0.9腾讯云图像与视频理解 (TencentCloud VITA / vita) 技能。用于图片理解、视频理解、图像分析、视频分析、描述生成、监控录像分析、体育高光提取、直播理解、新闻视频摘要、产品演示视频分析,以及设置或更新 vita prompt。支持单张图片、多张图片、视频。TencentCloud VITA (...
⭐ 0· 392·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and the bundled script clearly require a TencentCloud VITA API key (TENCENTCLOUD_VITA_API_KEY) and the openai Python SDK; however the registry metadata lists no required environment variables or primary credential. That omission is an incoherence between what the skill says it needs and what it actually uses. The code's network target (VITA_BASE_URL) and features (image/video analysis, base64 local-image encoding) are consistent with the described purpose.
Instruction Scope
The SKILL.md prescribes running the included CLI (scripts/main.py) and defines how to handle local images (read and base64-encode) and that local video upload must be done via a separate tool. The only non-trivial agent-side action mandated outside running the script is persisting a prompt to <SKILL_DIR>/prompt/vita_prompt.txt; this is scoped to the skill directory and consistent with the stated prompt-persistence feature. The instructions do not ask the agent to read unrelated system files or exfiltrate data beyond calls to the VITA API.
Install Mechanism
There is no install spec (instruction-only install), but the shipped Python script depends on the 'openai' package and will exit with a DEPENDENCY_MISSING message if it's not installed. That is reasonable but means manual pip install is required. No downloads from arbitrary URLs or extracted archives are present.
Credentials
The code requires a single credential: TENCENTCLOUD_VITA_API_KEY (read from the environment). That is proportional to the skill's function, but the registry metadata failing to declare this required env var is a discrepancy. No other secrets or unrelated environment variables are accessed by the script.
Persistence & Privilege
The skill persists a user-provided 'vita_prompt.txt' under its own prompt/ directory and instructs the agent to write that file when the user requests. Persisting configuration inside the skill's directory is expected behavior, but users should be aware the skill will store the prompt on disk. The skill is not marked 'always: true' and does not request broader system-wide privileges.
What to consider before installing
This skill appears to implement TencentCloud VITA integration, and the bundled script is coherent with the SKILL.md. However: (1) the registry metadata omitted the required environment variable TENCENTCLOUD_VITA_API_KEY — make sure you set that only if you trust this skill and its source; (2) the script requires the 'openai' Python package (pip install openai); (3) the skill will read user-specified local image files and base64-encode them for upload, and it will write a prompt file to <SKILL_DIR>/prompt/vita_prompt.txt when asked to persist a prompt. Before installing, confirm the API endpoint (VITA_BASE_URL) is the official Tencent endpoint you expect and prefer the prompt persistence behavior. If you need higher confidence, ask the publisher to update the registry metadata to declare the required env var and provide a homepage/source validation.Like a lobster shell, security has layers — review code before you run it.
latestvk97fy7ayr1v523jve5p1454c1983yyp4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.