Back to skill
Skillv1.0.1
ClawScan security
TencentCloud FaceID CompareFace · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 16, 2026, 9:59 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill mostly does what it says (calls Tencent Cloud CompareFace) but the package metadata omitted the required Tencent Cloud credentials and dependency instructions, which is an incoherence you should understand before installing.
- Guidance
- Before installing or running: (1) be aware this tool will upload images you supply to Tencent Cloud's IAI service — do not send sensitive personal data unless you accept Tencent Cloud's handling and residency. (2) The skill requires TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY (the registry metadata omitted these); provide only least-privilege API keys and monitor billing. (3) You must install the tencentcloud-sdk-python dependency (pip install tencentcloud-sdk-python) and run under Python 3.6+. (4) Verify you trust the skill source; because metadata omitted required credentials, double-check for other omissions. If you need to avoid sending images off-host, do not use this skill or sanitize/obfuscate images first.
Review Dimensions
- Purpose & Capability
- notePurpose (calling Tencent Cloud CompareFace) matches the code and SKILL.md: the script builds a CompareFace request and sends images to iai.tencentcloudapi.com. Requesting Tencent Cloud API keys is appropriate for this purpose. However, the registry metadata declared no required environment variables or primary credential while both the SKILL.md and the script require TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY — a metadata omission/incoherence.
- Instruction Scope
- noteRuntime instructions and the script are limited to reading images (local files or Base64 or remote URLs), encoding them as needed, and calling the Tencent Cloud IAI API. The script reads only the provided file paths and the two Tencent Cloud env vars; it does not reference unrelated system files or hidden endpoints. Important: image data will be transmitted to Tencent Cloud (sensitive personal data).
- Install Mechanism
- noteThere is no install spec. The SKILL.md and script require the third‑party Python package tencentcloud‑sdk‑python and a Python 3.6+ runtime; the README asks the user to pip install it but the package registry metadata does not express this dependency. Lack of an automated install increases chance of runtime errors but is not itself malicious.
- Credentials
- concernThe script legitimately needs Tencent Cloud API keys (TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY). The concern is the metadata lists no required env vars or primary credential while the code and SKILL.md require secret keys — this mismatch is a security/configuration omission. Also note these keys grant access to Tencent Cloud account resources and should be scoped and protected appropriately.
- Persistence & Privilege
- okThe skill does not request persistent presence (always:false) and does not modify other skills or system configuration. It runs as a one-off script and does not grant elevated or hidden privileges.