TencentCloud VITA
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears purpose-aligned for Tencent Cloud image/video analysis, but users should notice that it sends media to a cloud service, uses a Tencent API key, and can persist a custom prompt.
Before installing, confirm you are comfortable sending selected images or video URLs to Tencent Cloud VITA, configure a dedicated API key, and remember that any saved VITA prompt will continue to affect future runs until changed or deleted.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill may consume Tencent Cloud API quota or incur charges under the configured account.
The script reads a Tencent Cloud VITA API key from the environment and uses it to call the cloud service. This is expected for the stated integration, but it grants account/API usage authority.
api_key = os.getenv("TENCENTCLOUD_VITA_API_KEY") ... return openai.OpenAI(api_key=api_key, base_url=VITA_BASE_URL)Use a dedicated VITA API key with the least privileges available, keep it out of chat logs and shared shells, and monitor Tencent Cloud usage.
A previously saved prompt can affect future analyses until it is changed or removed.
The skill intentionally stores a user-provided prompt and reuses it as the default prompt for later calls when no command-line prompt is supplied.
Agent 直接将用户指定的 prompt 写入以下文件 ... <SKILL_DIR>/prompt/vita_prompt.txt ... 文件已存在则覆盖为新的 prompt
Only save prompts that should be reused, avoid putting secrets in the prompt file, and update or delete the file when the custom prompt is no longer wanted.
Private images or videos provided for analysis may leave the local machine and be processed or hosted by cloud services.
The skill discloses that local media can be sent to Tencent VITA, and local videos may need to be uploaded through another tool to obtain an accessible URL.
本地图片:可直接调用脚本;脚本会读取文件并转为 base64 data URL 后调用 VITA API。... 本地视频:当前脚本不直接支持上传;如需分析,需先借助其他上传工具(如 COS 相关 skill)上传并获得可访问 URL
Use this only for media you are comfortable sending to Tencent Cloud or an upload service; prefer private or short-lived pre-signed URLs for videos and clean up uploaded files afterward.
Users must manage the dependency themselves, which can cause setup inconsistency or package-provenance risk.
The skill depends on a manually installed third-party package, while the provided install metadata has no install spec or pinned dependency information.
`openai`(OpenAI 兼容 SDK,通过 `pip install openai` 安装)
Install dependencies from trusted package sources and, where possible, pin and review the package version used with this skill.