TencentCloud LicensePlate OCR
Analysis
The skill appears to do the claimed Tencent Cloud license-plate OCR task, but it sends submitted vehicle images to Tencent Cloud and uses your Tencent API keys.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
依赖:`tencentcloud-sdk-python`(通过 `pip install tencentcloud-sdk-python` 安装)
The skill depends on an external Python SDK installed via pip, with no pinned version shown in the artifacts; this is normal for a Tencent Cloud integration but is still a supply-chain consideration.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
secret_id = os.environ.get("TENCENTCLOUD_SECRET_ID")
secret_key = os.environ.get("TENCENTCLOUD_SECRET_KEY")
...
cred = credential.Credential(secret_id, secret_key)The skill reads Tencent Cloud API credentials from environment variables and uses them to authenticate OCR requests; this is expected for the service but gives the skill access to the user's Tencent Cloud account for this API call.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
http_profile.endpoint = "ocr.tencentcloudapi.com" ... req.ImageUrl = args.image_url ... req.ImageBase64 = load_image_base64(args.image_base64) ... resp = client.LicensePlateOCR(req)
The skill sends the provided image URL or Base64 image data to Tencent Cloud's OCR API; license-plate images and OCR outputs can be sensitive even though this data flow is central to the skill's purpose.