ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TencentCloud IDCard OCR

v1.0.4

腾讯云身份证识别(IDCardOCR)接口调用技能。当用户需要识别身份证图片中中国大陆居民二代身份证正反面信息(姓名、性别、民族、出生日期、住址、身份证号、签发机关、有效期限等)时,应使用此技能。支持图片Base64和URL两种输入方式,同时支持身份证图片照片裁剪和多种告警功能。

0· 362·1 current·1 all-time
bytencent-ocr@zt1314p-design
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and scripts/main.py clearly require Tencent Cloud API credentials (TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY) and the tencentcloud-sdk-python dependency to call ocr.tencentcloudapi.com, which matches the stated purpose. However the registry metadata declares no required env vars or primary credential — an inconsistency that can mislead users about the permissions/secrets this skill needs.
!
Instruction Scope
Instructions and the script accept either an image URL or a local file path for --image-base64 and will read arbitrary local files (treating them as Base64 or encoding binary) and send contents to the remote OCR API. This is expected for image OCR, but it also means the skill can be used to transmit arbitrary local file contents to Tencent Cloud if misused or invoked autonomously.
Install Mechanism
This is an instruction-only skill with an included Python script; there is no install spec. The SKILL.md and script require the third-party package tencentcloud-sdk-python but do not declare an automated install step — users must install the dependency manually. No suspicious download URLs or extract actions are present.
!
Credentials
The environment secrets the tool needs (Tencent Cloud secret id/key) are appropriate for contacting the Tencent OCR API. However the registry metadata fails to list these required environment variables or a primary credential, which is a meaningful mismatch and can cause accidental credential exposure or misconfiguration by users who assume no credentials are needed.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) — this is normal but combine with the above data-exfiltration vector if you allow autonomous runs.
What to consider before installing
Before installing: (1) Be aware the script requires your TENCENTCLOUD_SECRET_ID and TENCENTCLOUD_SECRET_KEY even though the registry metadata doesn't list them — the skill will exit if they are not set. Only provide credentials scoped minimally (limited permissions, dedicated account) and avoid using high-privilege keys. (2) The tool will read a local file when you pass --image-base64 <path> and will send its contents to Tencent's OCR endpoint — do not pass paths to sensitive local files (password files, keys, config) or run the skill in a context where untrusted code could invoke it. (3) The package dependency tencentcloud-sdk-python must be installed manually; verify you install it from a trusted source. (4) If you plan to allow autonomous agent invocation, prefer to disable autonomous use or run the skill in an isolated environment, and ensure the agent is not granted broad access to other local files or credentials. (5) If unsure, inspect and run the script in a sandbox, confirm the endpoint is ocr.tencentcloudapi.com (official), and request the publisher update registry metadata to declare required env vars and dependency installation steps.

Like a lobster shell, security has layers — review code before you run it.

latestvk972vhe207md41mtc9h21ghs0s840v5g
362downloads
0stars
5versions
Updated 6h ago
v1.0.4
MIT-0
tencent-ocr@zt1314p-design
latest
Download

腾讯云身份证识别 (IDCardOCR)

用途

调用腾讯云OCR身份证识别接口,支持中国大陆居民二代身份证正反面所有字段的识别,识别准确度达99%以上。

核心能力:

  • 人像面(FRONT):识别姓名、性别、民族、出生日期、住址、公民身份证号
  • 国徽面(BACK):识别签发机关、证件有效期
  • 附加功能:身份证照片/人像照片裁剪、7种告警检测(复印件、翻拍、PS、临时身份证等)

官方文档:https://cloud.tencent.com/document/api/866/33524

使用时机

当用户提出以下需求时触发此技能:

  • 需要从身份证图片中提取文字信息
  • 需要验证身份证真伪(复印件/翻拍/PS检测)
  • 需要裁剪身份证照片或人像照片
  • 涉及身份证OCR识别的任何场景

环境要求

  • Python 3.6+
  • 依赖:tencentcloud-sdk-python(通过 pip install tencentcloud-sdk-python 安装)
  • 环境变量:
    • TENCENTCLOUD_SECRET_ID:腾讯云API密钥ID
    • TENCENTCLOUD_SECRET_KEY:腾讯云API密钥Key

使用方式

运行 scripts/main.py 脚本完成身份证识别。

请求参数

参数类型必填说明
ImageBase64str否(二选一)图片Base64值,不超过10MB
ImageUrlstr否(二选一)图片URL地址,优先使用
CardSidestrFRONT(人像面) / BACK(国徽面),不填则自动判断
ConfigstrJSON字符串,可选开关见下方说明
EnableRecognitionRectifybool默认true,开启身份证号/出生日期/性别的矫正补齐
EnableReflectDetailbool默认false,需配合ReflectWarn使用
CardWarnTypestrBasic(默认) / Advanced(进阶PS告警)
UserAgentstr请求来源标识(可选),用于追踪调用来源,统一固定为Skills

Config JSON 可选开关CropIdCardCropPortraitCopyWarnBorderCheckWarnReshootWarnDetectPsWarnTempIdWarnInvalidDateWarnQualityMultiCardDetectReflectWarn

⚠️ UserAgent参数使用指南

--user-agent参数是可选参数,统一固定为Skills,无需手动传递。用于标识API调用来源,便于追踪和统计:

调用框架--user-agent 参数值说明
所有框架Skills统一固定值,不传递时也默认为此值

实现说明:

  • 通过--user-agent命令行参数传递,SDK 会将其拼接为 SDK_PYTHON_x.x.x; Skills 注入到请求中
  • 统一固定为Skills,未传递时也默认为此值
  • 该标识会记录在ES日志的 ReqBody.RequestClient 字段中,可用于追踪来源

输出格式

识别成功后返回 JSON 格式结果:

人像面(FRONT)

{
  "Name": "张三",
  "Sex": "男",
  "Nation": "汉",
  "Birth": "1990/01/01",
  "Address": "XX省XX市XX区XX路XX号",
  "IdNum": "110101199001011234",
  "AdvancedInfo": "{\"WarnInfos\":[]}",
  "RequestId": "xxx"
}

国徽面(BACK)

{
  "Authority": "XX市公安局",
  "ValidDate": "2020.01.01-2040.01.01",
  "AdvancedInfo": "{\"WarnInfos\":[]}",
  "RequestId": "xxx"
}

告警码说明

告警码含义
-9100有效日期不合法
-9101边框不完整
-9102复印件
-9103翻拍
-9104临时身份证
-9105框内遮挡
-9106PS痕迹
-9107反光
-9108复印件(仅黑白)
-9110电子身份证

调用示例

# 基础调用示例(--user-agent 默认为 Skills,可不传)
python scripts/main.py --image-url "https://example.com/idcard.jpg" --card-side FRONT

# 使用 Base64 文件调用
python scripts/main.py --image-base64 "/path/to/base64.txt"

# 开启告警检测和照片裁剪
python scripts/main.py --image-url "https://example.com/idcard.jpg" \
  --config '{"CropIdCard":true,"CopyWarn":true,"ReshootWarn":true}'

# 使用进阶PS告警
python scripts/main.py --image-url "https://example.com/idcard.jpg" \
  --card-warn-type Advanced

Comments

Loading comments...