ClawHub
Back to skill
v1.0.2

TencentCloud MLIDPassport OCR

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:33 AM.

Analysis

This skill is a coherent Tencent Cloud passport OCR wrapper, but users should notice that it sends passport images and extracted passport data to Tencent Cloud and requires Tencent Cloud API credentials.

GuidanceThis skill appears purpose-aligned and not malicious. Before installing, confirm you are comfortable sending passport images or image URLs to Tencent Cloud, use least-privilege Tencent Cloud credentials, and install the Tencent Cloud SDK from a trusted source.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
依赖:`tencentcloud-sdk-python`(通过 `pip install tencentcloud-sdk-python` 安装)

The skill relies on a manually installed, unpinned Python package. This is purpose-aligned for Tencent Cloud API access, but users should be aware that dependency provenance and version pinning are not enforced by the provided artifacts.

User impactThe behavior of the skill depends on the locally installed Tencent Cloud SDK version.
RecommendationInstall the SDK from the official package source and consider pinning a trusted version in controlled environments.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/main.py
secret_id = os.environ.get("TENCENTCLOUD_SECRET_ID")
secret_key = os.environ.get("TENCENTCLOUD_SECRET_KEY")

The script reads Tencent Cloud API credentials from environment variables to call the OCR service; this is expected for the integration, but credential use is not declared in the registry metadata.

User impactInstalling or using the skill requires Tencent Cloud API credentials, which may allow billable OCR API calls under the user's Tencent Cloud account.
RecommendationUse a Tencent Cloud key with the least necessary permissions, monitor usage and billing, and avoid sharing the environment where these variables are set.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
scripts/main.py
http_profile.endpoint = "ocr.tencentcloudapi.com"
...
resp = client.MLIDPassportOCR(req)

The script sends passport image input to Tencent Cloud's OCR API endpoint and returns extracted passport fields; this external provider flow is disclosed and central to the skill's purpose.

User impactPassport images, image URLs, and extracted identity details may be processed by Tencent Cloud when the skill is used.
RecommendationOnly process passport images when the user intends to send them to Tencent Cloud, and follow applicable privacy, consent, and data-handling requirements.