Back to skill
Skillv1.0.0
ClawScan security
tencentcloud-faceid-detectface · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 8:34 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The package implements a Tencent Cloud DetectFace wrapper that legitimately requires Tencent Cloud API keys and network access; the code and runtime instructions match the described purpose, but the registry metadata omits the required environment variables—review before installing.
- Guidance
- This skill appears to be a straightforward wrapper for Tencent Cloud's DetectFace API and needs your Tencent Cloud API keys (TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY). Before installing: (1) confirm you trust the skill publisher/source (source is marked unknown here); (2) verify the registry metadata is updated to declare the required env vars (the code and SKILL.md require them); (3) provide API keys with least privilege possible and avoid using long-lived/root credentials; (4) run the script in an isolated environment if you want to limit risk; and (5) inspect the included scripts/main.py yourself (it’s small and readable) to confirm there are no hidden endpoints or unexpected behavior. If you have sensitive images, remember the images or their URLs will be sent to Tencent's iai.tencentcloudapi.com service per the SDK call.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (Tencent Cloud DetectFace) matches the included code and SKILL.md: it calls the IAI DetectFace API and returns face boxes/attributes/quality. The only inconsistency is registry metadata claiming no required env vars while both SKILL.md and scripts/main.py require TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY. This appears to be an omission in metadata rather than a functional mismatch.
- Instruction Scope
- okSKILL.md instructs the agent to run scripts/main.py, install the official tencentcloud-sdk-python, and set the Tencent Cloud API keys. The runtime instructions and script only read the supplied image (file or Base64) and the two Tencent Cloud env vars; they do not request unrelated files, system config, or unusual external endpoints beyond the Tencent IAI endpoint.
- Install Mechanism
- okThere is no install spec (instruction-only + a Python script). The script indicates a pip dependency on tencentcloud-sdk-python, which is proportional. No downloads from untrusted URLs or archive extraction are present.
- Credentials
- noteThe script requires TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY — these are appropriate and necessary for calling Tencent Cloud APIs. The skill package/registry metadata, however, did not declare these required env vars; that mismatch should be corrected or confirmed before use.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges or modify other skills. It runs as a single script and does not attempt to persist credentials or alter agent/system configuration.