ClawHub
Back to skill
v1.0.2

TencentCloud QuestionMark OCR

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:35 AM.

Analysis

The skill coherently calls Tencent Cloud OCR to grade user-provided exam images or PDFs, but users should notice the Tencent Cloud credentials, third-party data processing, and manual SDK install.

GuidanceBefore installing, confirm you are comfortable sending exam images or PDFs to Tencent Cloud, configure least-privileged Tencent Cloud credentials, understand possible quota or billing use, and install the Tencent Cloud SDK from a trusted source.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
依赖:`tencentcloud-sdk-python`(通过 `pip install tencentcloud-sdk-python` 安装)

The skill relies on a manually installed, unpinned Python SDK dependency. This is normal for a Tencent Cloud API client, but unpinned installs can change over time.

User impactA future SDK version could behave differently or introduce compatibility/security issues.
RecommendationInstall the SDK from the official package source and consider pinning a known-good version in controlled environments.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/main.py
secret_id = os.environ.get("TENCENTCLOUD_SECRET_ID") ... secret_key = os.environ.get("TENCENTCLOUD_SECRET_KEY")

The script uses Tencent Cloud API credentials from environment variables to act on the user's cloud account. This is expected for the integration, but the registry metadata says no required env vars or primary credential.

User impactCalls may use the user's Tencent Cloud account, quota, and billing privileges.
RecommendationUse a Tencent Cloud key with only the permissions needed for this OCR service, keep it out of shared environments, and monitor quota or billing.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/main.py
req.ImageUrl = args.image_url ... req.ImageBase64 = load_image_base64(args.image_base64) ... resp = client.SubmitQuestionMarkAgentJob(req)

The skill sends a user-provided image URL or Base64/file-derived content to Tencent Cloud for OCR grading. This is the core purpose, but it means exam images, handwriting, and answer content leave the local environment.

User impactStudent work or other sensitive educational content may be processed by Tencent Cloud.
RecommendationOnly submit files you are allowed to share with Tencent Cloud, avoid unnecessary personal information, and follow your school or organization’s privacy requirements.