TencentCloud VatInvoice OCR
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a legitimate Tencent Cloud invoice OCR wrapper, but it uses Tencent Cloud API credentials and sends invoice documents to Tencent for processing.
Before installing, confirm you are comfortable uploading invoice documents to Tencent Cloud, use limited-scope API credentials, monitor possible OCR charges, and install the Tencent SDK from a trusted source.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using broad Tencent Cloud keys could allow charges or account actions depending on the key permissions.
The tool reads Tencent Cloud account credentials to call the OCR service. This is expected for the stated integration, but it grants access to a paid cloud account and is not reflected in the registry's required environment variables.
secret_id = os.environ.get("TENCENTCLOUD_SECRET_ID")
secret_key = os.environ.get("TENCENTCLOUD_SECRET_KEY")Use a least-privilege Tencent Cloud key limited to OCR if possible, keep quotas/billing alerts enabled, and have the skill metadata declare the required credentials.
Invoice images or PDFs may leave the local environment and be processed by Tencent Cloud.
The invoice URL or Base64/file content is sent to Tencent Cloud's OCR endpoint. This is the core purpose of the skill, but invoices can contain sensitive business, tax, and bank-account information.
http_profile.endpoint = "ocr.tencentcloudapi.com" ... req.ImageUrl = args.image_url ... req.ImageBase64 = load_image_base64(args.image_base64) ... resp = client.VatInvoiceOCR(req)
Only process invoices you are allowed to upload to Tencent Cloud, avoid public or long-lived URLs for sensitive files, and review Tencent Cloud's retention/privacy terms.
Installing an unpinned dependency may pull a newer or unexpected package version.
The setup documentation asks for a manual, unpinned package install. This dependency is expected for a Tencent Cloud OCR wrapper, but pinning and provenance are not specified.
依赖:`tencentcloud-sdk-python`(通过 `pip install tencentcloud-sdk-python` 安装)
Install the official Tencent Cloud SDK from a trusted package source and consider pinning a reviewed version.