跌倒检测分析技能
ReviewAudited by ClawScan on May 11, 2026.
Overview
The skill mostly matches fall-detection, but its handling of user identifiers, API-key fields, and historical report access is not clearly bounded.
Install only if you are comfortable sending selected fall-detection images or videos to the provider's cloud API. Use only your own open-id, do not place real API keys in the open-id field, confirm historical report queries before running them, and delete saved attachments when finished.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong or shared identifier could cause the agent to retrieve or expose historical fall-detection report links for the wrong account, and a real API key stored in config could be treated as an open-id.
The skill uses a local api-key field and/or a username or phone number as the identity used to save and query cloud reports; the artifacts do not clearly separate credentials from user identifiers or show a scoped authorization boundary for historical report access.
如果文件存在且配置了 api-key 字段,则读取 api-key 作为 open-id ... 必须提示用户提供用户名或手机号作为 open-id
Do not reuse API-key fields as open-id values. Require an authenticated platform identity or explicit user confirmation for history lookups, and document exactly which account's reports can be accessed.
Private home-care or monitoring footage may be sent to the provider for analysis.
The skill discloses that local images/videos are uploaded to an external API, or that the API fetches a supplied media URL. This is aligned with the fall-detection purpose but involves sensitive media transfer.
`--input`: 本地图片/视频文件路径(使用 multipart/form-data 方式上传) ... `--url`: 网络图片/视频 URL 地址(API 服务自动下载)
Use only media you are authorized to share, avoid unnecessary private footage, and verify the provider's retention and privacy practices before use.
Uploaded care or monitoring media may remain on disk after analysis unless manually removed.
The instructions say uploaded media is automatically saved under the skill's attachments directory, creating local persistence for potentially sensitive images or videos.
如果用户上传了附件或者图片/视频文件,则自动保存到技能目录下 attachments
Delete local attachments when they are no longer needed, and the skill publisher should document retention and cleanup behavior.
If the skill is switched to the dev environment, API traffic could be sent to an untrusted or unreachable private HTTP service.
The package includes a development configuration pointing at a private raw-IP HTTP endpoint. It does not appear active by default, but it is risky if accidentally enabled.
base-url-open-api: "http://192.168.1.234:9601/smyx-open-api"
Keep production HTTPS endpoints enabled, remove unpublished dev endpoints from release packages, or clearly document when they are safe to use.