ClawHub
Back to skill
v1.0.3

TencentCloud VehicleLicense OCR

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:34 AM.

Analysis

This skill is a coherent Tencent Cloud vehicle-license OCR helper, but users should notice that it sends sensitive license images to Tencent Cloud and requires cloud API credentials that are not declared in the registry metadata.

GuidanceThis skill appears purpose-aligned and not deceptive. Before installing, confirm you are comfortable sending vehicle-license images to Tencent Cloud, use dedicated least-privileged Tencent Cloud credentials, and install the Tencent Cloud SDK from a trusted source.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
依赖:`tencentcloud-sdk-python`(通过 `pip install tencentcloud-sdk-python` 安装)

The skill relies on an external Python package installed via pip, while the supplied install specifications declare no managed install step. The package is expected for Tencent Cloud API access, but the setup is not pinned or captured by an install spec.

User impactUsers may need to install a package manually, and an unpinned dependency can change over time.
RecommendationInstall the official Tencent Cloud SDK from a trusted package source, consider pinning a reviewed version, and ensure the registry metadata accurately declares the dependency.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
环境变量:
  - `TENCENTCLOUD_SECRET_ID`:腾讯云API密钥ID
  - `TENCENTCLOUD_SECRET_KEY`:腾讯云API密钥Key

The skill needs Tencent Cloud API credentials. That is expected for this provider integration, but the registry metadata lists no required env vars or primary credential.

User impactSupplying these credentials lets the script call Tencent Cloud OCR under the user's account and may incur charges depending on the account plan.
RecommendationUse least-privileged Tencent Cloud credentials dedicated to OCR if possible, keep them in environment variables rather than prompts or files, and rotate them if exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
scripts/main.py
http_profile.endpoint = "ocr.tencentcloudapi.com" ... req.ImageUrl = args.image_url ... req.ImageBase64 = load_image_base64(args.image_base64) ... resp = client.VehicleLicenseOCR(req)

The script sends either an image URL or Base64-encoded license image to Tencent Cloud's OCR endpoint. This is core to the stated OCR purpose, but vehicle licenses can contain names, addresses, plates, VINs, and other sensitive data.

User impactImages or image URLs provided for OCR will be processed by Tencent Cloud, and the returned OCR result may include personal and vehicle-identifying information.
RecommendationUse this only for documents you are authorized to process, avoid unnecessary uploads, and review Tencent Cloud's privacy, retention, and billing terms for the OCR service.