ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

tencentcloud-faceid-detectlivefaceaccurate

v1.0.0

腾讯云人脸静态活体检测高精度版(DetectLiveFaceAccurate)接口调用技能。当用户需要对人脸图片进行防翻拍活体检测时,应使用此技能。相比普通静态活体检测,高精度版增强了对高清屏幕、裁剪纸片、3D面具等攻击的防御能力,适用于移动端、PC端各类型场景的图片活体检验。支持图片Base64和图片URL两种...

0· 252·0 current·0 all-time
by@xiaoqiangjava
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement calls to Tencent Cloud's DetectLiveFaceAccurate API and require Tencent Cloud API keys — that is consistent with the stated purpose of performing static liveness detection.
Instruction Scope
Runtime instructions and the script stay within scope: they read an image (or accept a URL/Base64), validate sizes, encode to Base64 if needed, and call the Tencent Cloud API. The script does not reference unrelated system files or external endpoints beyond the Tencent Cloud API.
Install Mechanism
There is no install spec in the registry, but SKILL.md and the script require the third‑party Python package tencentcloud-sdk-python (pip). Lack of an automated install step is not inherently malicious, but it is a discrepancy the user should be aware of (manual dependency installation required).
!
Credentials
The script requires TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY to call the API — those credentials are appropriate for the skill's purpose. However, the registry metadata lists no required environment variables or primary credential, creating an inconsistency that could mislead users about what secrets are needed.
Persistence & Privilege
The skill does not request persistent presence, does not set always:true, and does not modify other skills or system-wide settings. It runs as a standalone script when invoked.
What to consider before installing
This skill's code appears to do what the description says, but the registry metadata omits that it requires Tencent Cloud API credentials and a Python SDK. Before installing or running: 1) Verify you are comfortable providing TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY (these grant API access to your Tencent Cloud account). 2) Install the tencentcloud-sdk-python package in a controlled environment (pip install tencentcloud-sdk-python). 3) Review the included scripts/main.py locally to ensure it matches your expectations (it only encodes images and calls the Tencent Cloud API). 4) Consider privacy: images (or image URLs) will be sent to Tencent Cloud; ensure this is acceptable for your data handling requirements. 5) Ask the publisher to fix the registry metadata to declare the required env vars and any installation steps to reduce confusion.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b1g8ehvb200rp4p7g64fkcx82v8yx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments