Skillv1.0.0

ClawScan security

Child Hazardous Behavior Recognition Tool | 儿童危险行为识别分析工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 14, 2026, 8:56 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches a child-behavior recognition feature but contains multiple mismatches and risky behaviors (reads/writes workspace files, creates local DB/configs, references unrelated face/pet modules and external APIs) that are not fully justified by its description.
Guidance: This skill is not obviously malicious but has several red flags you should consider before enabling it: - Code reuse and scope creep: The package contains unrelated modules (face_analysis, pet-health docs) and a large shared library (skills/smyx_common). That may be benign reuse but increases the amount of code executed and any surprises. - File I/O and persistence: The skill will read/write config files and create a local SQLite DB under the workspace/data path and will save uploaded attachments to the skill directory. If you need to avoid local persistence, do not install or run it. - Network endpoints and API keys: The skill calls remote APIs (base URLs in skills/smyx_common/scripts/config.yaml point to lifeemergence domains). It will ask for an open-id (and optionally an API key). Do not provide real user identifiers, credentials, or sensitive data until you verify the backend endpoints and privacy policy. - Environment leakage: The code implicitly reads environment variables (OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID, OPENCLAW_WORKSPACE). If those exist in your environment they may be used automatically. - Minimal test recommendations: run the tool in an isolated sandbox workspace, with network egress blocked or pointed to a mock endpoint, and with empty/controlled OPENCLAW_WORKSPACE. Inspect (or prevent) the created config.yaml and sqlite DB. Review the actual API host addresses and confirm they are trusted before supplying real open-id or API keys. If you proceed, audit the code paths that perform HTTP requests (skills/smyx_common/scripts/api_service.py and scripts/api_service.py), decide where uploaded videos and generated reports will be stored, and confirm the remote service's data retention and privacy practices.

Review Dimensions

Purpose & Capability: concernThe declared purpose is child hazardous behavior recognition and the scripts implement a wrapper that calls a remote analysis API, which is coherent. However the repository includes unrelated artifacts (face_analysis and pet-health references, README about TCM face diagnosis, references/api_doc.md about pet health) suggesting code reuse or copy-paste from other domains. That mismatch increases risk because the skill will pull in a general-purpose common library (skills/smyx_common) and may call generic AI endpoints rather than a narrowly scoped child-safety API.
Instruction Scope: concernSKILL.md forbids reading local memory files, but the runtime instructions and code explicitly require reading configuration files (skills/smyx_common/scripts/config.yaml in-skill and in-workspace) to obtain open-id and may auto-save uploaded attachments under the skill directory. The skill instructs running python -m scripts.child_dangerous_behavior_recognition_analysis from the skill root which will execute the included codebase (not a minimal single-script). The code also includes a local DAO and SQLite usage (skills/smyx_common/scripts/dao.py) and utilities that may access workspace paths. This conflicts with the 'absolute prohibition' on local memory access and widens scope to file I/O and local persistence.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing will be automatically downloaded at install time. However the bundle contains a large requirements list (skills/smyx_common/requirements.txt and face_analysis requirements) and many Python modules; the SKILL.md mentions requests>=2.28.0. Because no installer is declared, users/operators must manually satisfy dependencies — the lack of an install step is inconsistent with the embedded requirements but not itself malicious.
Credentials: concernThe skill declares no required environment variables but the code reads several environment values implicitly: OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID and OPENCLAW_WORKSPACE are referenced in skills/smyx_common/scripts/config.py and dao.py. The SKILL.md enforces retrieving an 'open-id' via local config files or from the user message; it also encourages passing optional api-key/api-url. Requesting/pulling these values at runtime (and creating config files if missing) is broader than the declared 'none' and may access workspace-wide config and create files/databases under workspace/data.
Persistence & Privilege: concernAlthough always:false, the skill will create/read files and a local SQLite DB: YamlUtil.load will create config.yaml if missing (skills/smyx_common/scripts/config.yaml), and Dao.get_db_path builds a workspace data path and creates a sqlite DB (smyx-common-claw.db) under workspace/data. SKILL.md also says uploaded attachments will be saved to an attachments directory under the skill. These behaviors persist data on disk and modify config/DB files in the workspace, which is more privilege than the description implies.