Basic Object Detection Skill | 基础目标检测技能

Things to check before installing or running this skill: - Audit RequestUtil (skills/smyx_common/scripts/util.py) and any http_post/http_get functions to see what headers and env/config values they include in requests (do they send API keys, tokens, or other environment data?). This is the most important review step. - Confirm you are comfortable with the skill creating/editing files in the workspace: it may auto-create config.yaml files and a SQLite DB under ${OPENCLAW_WORKSPACE}/data. If you run the skill in a shared workspace, it could persist data accessible to other code. - The SKILL.md forbids reading local 'memory' files, but the codebase reads local config and can write persistent DB/config files — verify whether historical-report access truly uses only cloud APIs as the doc requires. - Review and, if possible, restrict the API base URLs in skills/smyx_common/scripts/config.yaml (they default to lifeemergence/open-api URLs and dev/internal IPs are present in other configs). Ensure the endpoints are ones you trust and that you control the API key you pass to the script. - If you only want object detection and not the larger feature set, consider extracting/running only scripts/basic_object_detection_analysis.py after inspecting RequestUtil and config behavior. - Run the skill first in an isolated sandbox environment (no sensitive environment variables present, isolated workspace) and monitor network traffic to validate which endpoints are contacted and what data is transmitted (media files, metadata, any environment-derived tokens). Why I marked this 'suspicious': there are legitimate uses here, but the codebase and runtime rules do not fully align with the SKILL.md claims (forbidding local memory yet reading/writing local configs/DBs; un-declared environment variables are accessed; a large reused common library and unrelated modules are bundled). These inconsistencies merit manual inspection before trusting the skill with sensitive media or credentials.