猫脸识别技能
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches cat-face recognition, but it sends pet media and a user or phone identifier to a cloud service and uses that identifier to retrieve reports with unclear credential boundaries.
Before installing, confirm the provider endpoint, how open-id or phone numbers are authenticated, where images/videos and reports are stored, and how to delete them. Start with a non-sensitive test image or video.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may disclose a phone number or identifier, and the skill may retrieve or create cloud report history tied to that identifier. If the backend relies mainly on open-id, report access could be mis-scoped.
The skill uses a credential-looking config field or a user's phone/username as the identity for saving and querying cloud reports, while treating API-key authentication as optional; that leaves the account/report access boundary unclear.
"如果文件存在且配置了 api-key 字段,则读取 api-key 作为 open-id" ... "提示用户提供用户名或手机号作为 open-id" ... "API 密钥可选"
Install only if you trust the provider and can verify how open-id is authenticated and how report history is protected.
Cat photos or videos, potentially from home surveillance, will be sent to or fetched by an external analysis service.
The core workflow intentionally sends selected media or a media URL plus a user identifier to a remote provider API; this is expected for the stated purpose but is sensitive.
"--input": 本地图片/视频文件路径(使用 multipart/form-data 方式上传) ... "--url": 网络图片/视频 URL 地址(API 服务自动下载) ... "--open-id": 当前用户的 open-id
Use only media you are comfortable sharing with the provider, and avoid private footage unrelated to the request.
Uploaded pet media and recognition reports may remain available locally or in the cloud after the immediate request.
The skill discloses local attachment storage and cloud report history, but it does not describe retention, cleanup, or whether stored media/reports may be reused later.
"如果用户上传了附件或者图片/视频文件,则自动保存到技能目录下 attachments" ... "用于保存和查询识别报告记录"
Check whether there is a way to delete local attachments and cloud reports before using sensitive media.
If the environment were switched to dev, requests could target an unexpected private HTTP service instead of the documented production API.
A development configuration contains a raw private-IP HTTP endpoint. The default config appears to use prod, but the included dev endpoint is still a provenance and deployment clarity issue.
base-url-open-api: "http://192.168.1.234:9601/smyx-open-api"
Verify the active configuration before use and remove private-IP dev endpoints from distributed packages.
Users may be unsure whether the skill is limited to cat identity recognition or whether unrelated analysis templates are involved.
The documentation contains a bird-recognition paragraph inside a cat-face-recognition skill, suggesting copy-paste/template inconsistency.
"本技能支持对图片或视频流中的鸟类进行自动识别,覆盖不低于500种常见鸟类"
Review the endpoint configuration and provider documentation before relying on the skill's results.