ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

portrait-compare

v1.0.0

人脸识别与相似度比对 skill。当用户上传两张照片并询问"是否为同一个人"、"人脸相似度"、"人脸比对"、"人脸识别"、"两张图片是不是同一个人",或需要计算两张人脸照片的相似度分数时,必须使用此 skill。 适用场景:人证比对、照片对比、身份核验、人脸匹配等任务。即使用户只是说"帮我看看这两张照片是不是同一...

0· 58·0 current·0 all-time
byTuringParty@xavierjiezou
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included code: the script and docs implement face detection, alignment, feature extraction and similarity scoring. That capability justifies ONNX model files and OpenCV usage. However, the skill declares no required environment variables or install steps while the code expects OpenCV face modules (FaceDetectorYN, FaceRecognizerSF), scipy, Pillow and optional env vars for model paths — some of which likely need opencv-contrib builds. The SKILL.md's compatibility line lists packages but these are not formally declared in the manifest.
!
Instruction Scope
SKILL.md instructs the agent to list and read files under /mnt/user-data/uploads/ and to run a script at /home/claude/face-recognition/scripts/face_compare.py, but the included file is at scripts/face_compare.py (path mismatch). The instructions also reference optional model downloads and tell the agent to run shell commands (ls, python) and write output to /tmp — which is expected for image processing but grants the skill access to local user-uploaded images. The script itself reads environment variables (YUNET_MODEL, SFACE_MODEL) which are not declared in the manifest. Overall the instructions exercise local filesystem and environment in ways that are consistent with the stated purpose but contain path/env inconsistencies and assume system tooling that may not exist.
!
Install Mechanism
There is no install specification despite non-trivial runtime requirements (OpenCV with face modules, numpy, scipy, Pillow). The SKILL.md mentions compatibility and suggests ONNX model downloads (GitHub raw URLs), but the manifest does not provide a reproducible install step or declare dependency sources (e.g., opencv-contrib-python vs opencv-python). Missing an install mechanism makes it unclear how to obtain a compatible OpenCV build and whether the optional model downloads will be fetched and stored safely.
!
Credentials
Manifest lists no required env vars, but the script checks os.environ for YUNET_MODEL and SFACE_MODEL and will accept model paths from environment variables. This is not declared in requires.env. The skill does not request credentials, but it does access local filesystem paths (uploads and /tmp) and can be pointed to models via env vars. The undeclared env vars and reliance on possibly sensitive local files (user uploads) are proportionate to face-compare functionality but should be declared explicitly so users know what will be read.
Persistence & Privilege
always:false and no credentials/config paths requested — the skill does not demand permanent inclusion or elevated privileges. It will run only when invoked. However, because it reads local uploaded images and can be invoked autonomously by the agent (platform default), you should be cautious about automatic invocations on sensitive images.
What to consider before installing
What you should know and do before installing: - Main issues found: the bundle contains working face-compare code but the skill manifest does not declare required dependencies or environment variables the code actually uses (YUNET_MODEL, SFACE_MODEL). The SKILL.md references a different absolute script path (/home/claude/...) than the included file location (scripts/face_compare.py). There is no install spec to ensure a compatible OpenCV build (Face modules often require opencv-contrib) or to fetch the ONNX models safely. - Privacy & safety: this skill reads user-uploaded images and writes output files. Only install if you trust the skill author and the environment where it will run. Avoid running on sensitive identity documents or any set of images without consent. Do not rely on the automated decision for high-stakes identity verification. - Technical steps to reduce risk: - Verify/declare dependencies before running: opencv-contrib-python (or an OpenCV build with FaceRecognizerSF/FaceDetectorYN), numpy, scipy, pillow. Install them in a sandboxed environment (virtualenv/container). - Confirm where the script will run and correct the path discrepancy in SKILL.md (use the included scripts/face_compare.py path or update the file layout). - If you need schemeA models, download ONNX files directly from the linked OpenCV zoo GitHub URLs and verify integrity (check hashes) before placing them in /tmp or the working dir. - Ensure the skill's expected env vars (YUNET_MODEL, SFACE_MODEL) are explicitly set or the code will fall back to the listed search paths; consider adding these env vars to the skill manifest so they are visible. - Run the code first in an isolated environment to confirm it behaves as expected and does not attempt any unexpected network connections or data exfiltration. - When to avoid installation: if you cannot validate the author/source, cannot sandbox execution, or if you'll process highly sensitive identity images, do not install/use this skill as-is. If you want, I can produce a checklist of exact manifest and install changes that would make this skill coherent (declare env vars, add a reproducible install step, correct paths, and list required packages).

Like a lobster shell, security has layers — review code before you run it.

latestvk9793m332n8cdwz3e6jr7r2wad83gq9p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments