使用 DMXAPI 平台进行图像识别和理解。支持 Gemini 等多模态视觉模型。可进行图片描述、OCR文字识别、图表数据分析、物体检测、场景理解等任务。当用户需要识别图片内容、提取图片文字、分析图表、理解图像时使用此技能。
Security Analysis
medium confidenceThe skill's documentation is plausible for an image-recognition CLI wrapper, but its declared metadata (no binaries, no env vars) contradicts the runtime instructions that require Node.js, a global npm package, and a DMXAPI API key — and the instructions will upload local images (possibly sensitive) to an external API.
The SKILL.md describes a CLI wrapper for DMXAPI (image description, OCR, chart analysis, etc.), which is coherent with the stated purpose. However the registry metadata claims no required binaries or env vars while the instructions explicitly require Node.js 20+, installing dmxapi-cli, and setting an API key — this mismatch is unexpected and incoherent.
Instructions tell the agent/user to convert local images to base64 and upload them (or pass remote URLs) to DMXAPI. That is expected for an image-recognition skill, but it also means local files (including PII like ID cards) will be transmitted off-machine. The SKILL.md does not ask to read other unrelated files or secrets, but it does instruct persistent CLI configuration of an API key.
There is no formal install spec in the registry, yet SKILL.md tells users to run `npm install -g dmxapi-cli`. A global npm install executes unvetted package install scripts and grants the package filesystem/exec capabilities on the host. Because the package and its origin are not validated in the metadata (no homepage/source provided), this raises installation risk.
The registry lists no required environment variables or primary credential, but the runtime instructions require configuring an API key (`dmxapi config set apiKey sk-your-api-key`). That mismatch is problematic: the skill will store and use a service credential but does not declare it in metadata, preventing automated permission review. Requesting a single API key is reasonable for the described functionality, but it must be declared and verified.
The skill is not marked always:true and does not request elevated platform privileges. However, the CLI step `dmxapi config set apiKey ...` will persist the API key in the user's dmxapi CLI config (local persistence) and a global npm install will write files system-wide. These behaviors are normal for a CLI tool but were not declared in the registry metadata.
Guidance
This skill looks like an instruction-only wrapper for the third-party 'dmxapi-cli', but its registry metadata omits important requirements. Before installing or using it: 1) Verify the dmxapi-cli package on npm (author, downloads, repository, install scripts) and confirm the DMXAPI service (https://www.dmxapi.cn/) is legitimate. 2) Do not upload sensitive images (ID cards, passports, medical records) until you trust the provider—the skill will send local images (base64) to an external API. 3) Prefer supplying a scoped API key with minimal privileges and remove it from local config when no longer needed; be aware `dmxapi config set` will persist the key locally. 4) If you need stronger assurance, request a version of the skill that declares its required env vars and install steps in registry metadata or one that uses an official, audited SDK/source repository. 5) If you cannot verify the npm package or service, avoid running `npm install -g` globally; consider running it inside an isolated VM/container for testing.
Latest Release
v1.0.0
- 首次发布 dmxapi-image-recognition 技能,支持多种图像识别与理解任务。 - 支持图片描述、OCR文字识别、图表分析、物体检测、场景理解等多种任务类型。 - 兼容多种图片输入格式(PNG、JPEG、WebP、GIF),支持本地文件与远程 URL。 - 命令行使用 dmxapi-cli,灵活选择模型与参数,提升视觉任务效果。 - 提供丰富的使用示例,涵盖常见图片识别与数据提取场景。
Popular Skills
追剧/追番技能, 支持投屏到电视
@al-one · 4 stars
🛍️ 淘宝/京东/拼多多比价技能
@al-one · 3 stars
🎤 Transcribe audio files using Qwen ASR. 千问STT
@al-one · 2 stars
🗣️ Edge-TTS Skill using uvx
@al-one · 2 stars
🗣️ Text-to-speech using GLM-TTS for generating audio
@al-one · 2 stars
Lark / Feishu Skill via OpenAPI MCP servers (300+ tools)
@al-one · 1 stars
Published by @onee-io on ClawHub
