math-arithmetic-ocr Security Report — Low Risk | ClawSafe

15 /100

math-arithmetic-ocr

腾讯云算式识别 Skill for OpenClaw - OCR for math equations

A legitimate Tencent Cloud ArithmeticOCR integration with accurate documentation, no hidden functionality, and standard credential handling for API authentication.

Skill Namemath-arithmetic-ocr

Duration26.6s

Enginepi

✓

Safe to install

Skill is safe to use. Consider pinning axios version to ^1.6.0 in package.json to reduce supply chain risk.

Findings 2 items

Severity	Finding	Location
Low	Unpinned dependency version Supply Chain axios dependency uses caret range ^1.6.0 without exact version pinning, which could lead to unexpected updates `"axios": "^1.6.0"` → Change to "axios": "1.6.0" for reproducible builds	`package.json:9`
Info	Potential over-declaration of file.read permission Doc Mismatch SKILL.md and plugin.json declare file.read permission, but code analysis shows only imageBase64/imageUrl are accepted as inputs. Local file reading is not implemented. `"permissions": ["network.request", "file.read"]` → Remove file.read from declared permissions if not needed	`plugin.json:34`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	index.js:103 - axios POST to https://ocr.tencentcloudapi.com
Filesystem	`READ`	`NONE`	✓ Aligned	plugin.json declares file.read but code only accepts imageBase64/imageUrl parame…
Environment	`NONE`	`READ`	✓ Aligned	index.js:138-139 reads TENCENTCLOUD_SECRET_ID/KEY for API authentication only
Shell	`NONE`	`NONE`	—	No subprocess or shell execution detected

1 findings

🔗

Medium External URL 外部 URL

https://ocr.tencentcloudapi.com

index.js:103

File Tree

4 files · 10.1 KB · 332 lines

JavaScript 1f · 203L Markdown 1f · 73L JSON 2f · 56L

├─ 📜 index.js JavaScript 203L · 6.1 KB

├─ 📋 package.json JSON 12L · 237 B

├─ 📋 plugin.json JSON 44L · 1.4 KB

└─ 📝 SKILL.md Markdown 73L · 2.4 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`axios`	`^1.6.0`	npm	No	Version not pinned to exact release

Security Positives

✓ No shell execution or command injection vulnerabilities

✓ No data exfiltration or C2 communication patterns

✓ No obfuscation or base64-encoded payloads

✓ No sensitive path access (~/.ssh, ~/.aws, .env files)

✓ Credential handling is appropriate - keys used only for local API signing

✓ Documentation accurately describes implementation behavior

✓ Clear and focused functionality (math OCR only)

✓ No reverse shell, backdoor, or persistence mechanisms

✓ Legitimate Tencent Cloud API endpoint (ocr.tencentcloudapi.com)

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives