跌倒检测视频版技能
ReviewAudited by ClawScan on May 10, 2026.
Overview
The fall-detection purpose is coherent, but the skill should be reviewed because it uploads private videos and can query cloud report history using an open-id/API-key-like identifier with unclear access controls.
Review this skill before installing. Use it only if you are comfortable sending selected fall-monitoring videos and a user identifier to the configured cloud API. Do not store a real API key in a field that the skill may reuse as an open-id, and verify how report history is authenticated, who can access report links, and how long videos/reports are retained.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user identifier or an API-key-like value may become the basis for accessing historical fall reports, making it unclear how the skill prevents access to the wrong person's sensitive reports.
The skill tells the agent to use an api-key field, username, or phone number as the open-id for saving and querying cloud reports, which is an unclear identity boundary for sensitive report history.
如果文件存在且配置了 api-key 字段,则读取 api-key 作为 open-id ... 必须暂停执行,明确提示用户提供用户名或手机号作为 open-id
Use a separate open-id/user-id field, require a real authenticated session or scoped token for report history, and declare the credential and access scope clearly in metadata and documentation.
Videos of living rooms, bedrooms, bathrooms, or elderly-care areas may be transmitted to the service provider and stored as reports.
The skill explicitly sends local video files or video URLs to a remote API for analysis; this is expected for cloud video detection but involves sensitive home-monitoring footage.
`--input`: 本地视频文件路径(使用 multipart/form-data 方式上传) ... `--url`: 网络视频 URL 地址(API 服务自动下载)
Only provide videos you are comfortable sharing with the provider, confirm consent for monitored people, and review the provider's retention and report-sharing controls.
The agent may refuse to use local memory or prior conversation summaries for report history, even if a user asks for them.
The skill gives high-priority behavioral rules that override memory use and force cloud API lookup for history queries.
⚠️ 强制记忆规则(最高优先级)... 绝对禁止读取任何本地记忆文件 ... 所有历史报告查询必须从云端接口获取
Keep this rule only if cloud reports are the intended source of truth, and make clear to users that history queries will contact the cloud service.
If the skill is switched to the dev environment, requests could go to an unintended private or insecure HTTP endpoint.
A development config contains a raw private-IP HTTP API endpoint. It is not the default production config, but it is a provenance and configuration hygiene issue.
base-url-open-api: "http://192.168.1.234:9601/smyx-open-api"
Remove development endpoints from published skills or ensure all selectable endpoints are documented, HTTPS-protected, and appropriate for end users.