时光相册自定义浓缩分析技能
PendingVirusTotal audit pending.
Overview
No VirusTotal analysis has been recorded yet. File reputation checks will appear here once the artifact hash has been scanned.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A phone number or API-key-like value could be used as the account key for report storage or history lookup, which may expose or associate reports with the wrong identity.
The skill tells the agent to use a credential-looking config value, username, or phone number as the account identity for saving and querying cloud reports, while the registry declares no primary credential or required config path.
如果文件存在且配置了 api-key 字段,则读取 api-key 作为 open-id ... 必须暂停执行,明确提示用户提供用户名或手机号作为 open-id
Use a dedicated non-secret user identifier or proper OAuth/API authentication, declare the config path and credential contract, and do not treat an api-key field as open-id.
A history query may display more cloud report data than the user expected, including detailed analysis fields or report URLs returned by the provider.
The custom skill inherits this history-list behavior, which serializes the full provider API response instead of limiting output to the selected report-list fields promised in SKILL.md.
response_text = JsonUtil.stringify(response) ... 📊 分析报告记录列表(结构化结果) ... {response_text}Filter history output to the documented columns, redact sensitive fields, and ensure provider responses are scoped to the authenticated user.
Users may believe the analysis is constrained to their requested target while the uploaded video is processed without that custom target being applied.
The advertised custom target/keyword text is accepted but not sent as an analysis parameter when a video path or URL is provided.
def analyze_timelapse(input_path=None, url=None, text=None, api_url=None, api_key=None, output_level=None):
input_path = input_path or url or text
return skill.get_output_analysis(input_path)Pass --text through to the API request, fail clearly when required targeting text is missing, and update documentation to match actual behavior.
If dev mode is enabled, analysis traffic could be sent to a private or unintended endpoint.
A published dev configuration contains a private raw-IP HTTP endpoint; it is not active under the default prod config, but it creates a provenance and misconfiguration risk.
base-url-open-api: "http://192.168.1.234:9601/smyx-open-api"
Remove private dev endpoints from the published skill or make environment selection explicit and safe.