Back to skill
Skillv1.0.4
VirusTotal security
TencentCloud IDCard OCR · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 6:04 AM
- Hash
- 946a7766c6b769bf6feca6e3429f8dd64f5bfd71b0a031601efe51b309cf96c9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tencentcloud-ocr-idcard Version: 1.0.4 The skill provides a functional wrapper for the Tencent Cloud ID Card OCR API but contains a significant vulnerability in `scripts/main.py`. The `load_image_base64` function allows for arbitrary file reads by accepting any local file path and encoding its contents for transmission to the OCR endpoint, without restricting access to specific directories or image file types. While this capability is documented in `SKILL.md` as a feature for processing local files, the lack of input sanitization or path restriction represents a high-risk behavior in an agentic environment. No evidence of intentional malice or unauthorized data exfiltration was found.
- External report
- View on VirusTotal