v1.0.2

TencentCloud ExtractDoc OCR

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:35 AM.

Analysis

The artifacts consistently implement a Tencent Cloud OCR document-extraction helper, but users should notice that it needs Tencent Cloud credentials and sends chosen documents or URLs to Tencent Cloud.

GuidanceBefore installing, confirm you are comfortable sending the chosen documents or document URLs to Tencent Cloud OCR and that you can provide a least-privilege Tencent Cloud API key. The skill appears coherent and purpose-aligned, but review cloud data-handling and billing expectations for your use case.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

SKILL.md

依赖：`tencentcloud-sdk-python`（通过 `pip install tencentcloud-sdk-python` 安装）

The skill depends on an external Python package installed manually and does not pin a version in the provided artifacts. This is expected for a Tencent Cloud SDK wrapper, but users should install the official package intentionally.

User impactA dependency change or wrong package source could affect the behavior of the local OCR helper.

RecommendationInstall the official Tencent Cloud SDK from a trusted package source and consider pinning a known version in controlled environments.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/main.py

secret_id = os.environ.get("TENCENTCLOUD_SECRET_ID") ... secret_key = os.environ.get("TENCENTCLOUD_SECRET_KEY") ... cred = credential.Credential(secret_id, secret_key)

The code requires Tencent Cloud API credentials from environment variables. This is purpose-aligned for calling Tencent Cloud OCR, but the registry metadata says no primary credential or required environment variables are declared.

User impactUsing the skill requires cloud account credentials, and charges or access depend on the permissions attached to those credentials.

RecommendationUse a Tencent Cloud key with the minimum permissions needed for OCR, monitor billing, and avoid sharing or logging the secret key.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

scripts/main.py

http_profile.endpoint = "ocr.tencentcloudapi.com" ... req.ImageUrl = args.image_url ... req.ImageBase64 = load_image_base64(args.image_base64) ... resp = client.ExtractDocAgent(req)

The script sends the user-provided document URL or Base64/file-derived document content to Tencent Cloud's OCR endpoint. This is expected for the OCR purpose, but it is a sensitive data boundary users should understand.

User impactContracts, invoices, reports, or other selected documents may be processed by Tencent Cloud and could contain private or business-sensitive information.

RecommendationUse the skill only for documents you are allowed to send to Tencent Cloud, and prefer non-sensitive test files when validating setup.