Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Elderly Fall Detection Skill | 老人跌倒检测技能
v1.0.0Utilizes vision and radar technology for contactless detection of falls. It triggers alarms within seconds and is suitable for home safety monitoring of elde...
⭐ 0· 34·0 current·0 all-time
bysmyx-skills@18072937735
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (elderly fall detection) matches code that calls remote analysis APIs and performs fall/pose analysis. However the bundle includes large shared modules (skills/smyx_common and skills/face_analysis) and a local SQLite DAO that go beyond a minimal detector implementation — suggesting reuse of a broad platform rather than a single focused tool. The included face-analysis module is related but not strictly necessary for a narrow fall-detection task.
Instruction Scope
The SKILL.md and scripts require uploading user-supplied images/videos to a remote API (via RequestUtil.http_post) and mandate querying cloud history endpoints; they also automatically save uploaded attachments into an attachments directory. The README explicitly forbids reading local memory files but requires reading config files from the skill and workspace. The skill therefore reads/writes local files and transmits possibly sensitive video data to external servers — behavior that expands the scope (privacy and network exfiltration) beyond what a purely local detector would do.
Install Mechanism
No install spec (instruction-only) which reduces install-time risk. However the repository includes a large requirements.txt in smyx_common listing many heavy dependencies that would be needed to run the code; lack of an install spec means dependency installation/verification is left to the user/environment and could be overlooked or cause unexpected package installs.
Credentials
The skill declares no required env vars, but the code reads/writes configuration and uses OPENCLAW_WORKSPACE and OPENCLAW_SENDER_OPEN_ID if present; it will also accept API keys/open-id values and use them when calling remote APIs. SKILL.md instructs using the api-key field in local config as an open-id (confusing and inconsistent: api-key is not usually an identifier). The skill transmits uploaded media to third-party endpoints (base URLs present in common config), so sensitive data and identifiers may be sent off-host despite privacy claims.
Persistence & Privilege
Although not always-enabled, the skill writes local files: it will save uploaded attachments under the skill directory, create/configure YAML config files (YamlUtil will create missing config.yaml), and create/use a SQLite DB under a workspace 'data' directory via the Dao implementation. This persistent local footprint (and automatic creation/modification of config files) is more privilege than a purely transient analysis tool and should be accepted intentionally.
What to consider before installing
This skill will upload images/videos to remote analysis servers and will create and modify local files (attachments, config YAMLs, and a SQLite DB in your workspace). It also mixes an api-key/config-based flow with an open-id concept (the SKILL.md instructs reading api-key as open-id), which is confusing. Before installing or running: 1) Verify the remote API base URL(s) in skills/smyx_common/scripts/config.yaml and confirm you trust that third party to receive sensitive video data. 2) Expect the skill to save uploaded files and a local DB under your OPENCLAW_WORKSPACE; run in an isolated/sandboxed workspace if you want to limit persistence. 3) Do not provide sensitive identifiers or real user IDs unless you understand how they are used; prefer temporary/test data first. 4) If you require true privacy-preserving local-only detection, this skill is not coherent with that goal because it sends media to external services. 5) If you need higher assurance, review skills/smyx_common/scripts/util.py (RequestUtil) to confirm exactly where and how network requests are sent, and consider running the code in a controlled environment or modifying it to use a trusted/local inference endpoint.skills/smyx_common/scripts/config-dev.yaml:2
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk976cj9m4zns292dqrjyeqj9mn84x4rc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.