A skill that uses GLM-V native grounding capabilities for coordinate conversion, bounding-box visualization, and more. GLM-V native grounding can locate any...
Security Analysis
high confidenceThe skill's code, instructions, and required environment variables are consistent with a GLM‑V visual grounding/visualization tool; nothing in the bundle appears disproportionate or unrelated to that purpose.
Name/description (grounding, coordinate conversion, visualization, tracking) aligns with the included scripts (CLI, utils for boxes/3D/video/detection) and the declared env var ZHIPU_API_KEY. Required binaries and config paths are minimal and expected for image/video processing.
SKILL.md instructs to run the provided CLI and to install the listed Python deps. The code only reads user-supplied images/videos (local files or public http/https URLs), validates/blocks localhost and private IPs for URL inputs, loads/writes a local .env for the API key, and posts requests to a fixed Zhipu Chat Completions endpoint — all within the stated scope.
No installers or remote executable downloads are embedded. The skill expects pip install -r scripts/requirements.txt (standard PyPI packages). That is proportional for a Python visualization/vision tool and uses well-known packages listed in requirements.txt.
Only ZHIPU_API_KEY (primary credential) and an optional GLM_GROUNDING_TIMEOUT are requested. These map directly to calling the GLM‑V API and controlling request timeouts. The config_setup writes a local .env (skill-scoped) — expected for storing the API key.
always is false and the skill does not request system-wide or other-skills credentials. It writes/reads a .env within its own skill directory (normal for CLI tools). It does not modify other skills or global agent settings.
Guidance
This skill appears to do what it says: it sends user-provided images/videos to the GLM‑V service (Zhipu) using the ZHIPU_API_KEY and can save visualizations locally. Consider: (1) any media you supply will be transmitted to the external model provider (Zhipu) — avoid sending private/sensitive images you wouldn't want processed by that service; (2) the skill will create a .env file in its directory to store your API key — keep that directory private and add .env to .gitignore if you put the repo under version control; (3) the code resolves hostnames to block private IPs, which causes DNS lookups — if you are in a sensitive network environment, be aware of that network activity; (4) dependencies are installed from PyPI (standard risk) and ffmpeg is a system dependency for video output. If you trust the upstream GLM‑V provider and are comfortable sending media to their API, the package is coherent; otherwise do not install or run it and avoid providing an API key.
Latest Release
v1.0.5
Version 1.0.5 of glmv-grounding - No code or documentation changes detected in this release. - Functionality and usage remain unchanged from the previous version.
More by @jaredforreal
Published by @jaredforreal on ClawHub
