婴儿趴睡窒息预警技能
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: smyx-infant-suffocation-warning-analysis Version: 1.0.1 The skill bundle is a functional implementation for infant sleep safety monitoring and TCM face analysis, relying on a cloud-based API (lifeemergence.com). It uses a shared library (smyx_common) to manage user sessions via a local SQLite database and handles API authentication. While SKILL.md contains 'forced rules' to redirect the AI agent away from local memory and toward the cloud API, these appear to be architectural choices for data consistency rather than malicious prompt injections. The code includes a monetization flow (402 error handling) that prompts for a payment skill, which is consistent with a commercial skill ecosystem.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A parent could over-rely on this tool for infant safety even though it may only analyze submitted video and may not provide continuous real-time protection.
These high-stakes safety claims could cause users to rely on the skill as a continuous infant monitor; the artifacts show a scripted cloud analysis workflow, not a verified 24/7 alarm system.
conducts 24/7 real-time monitoring... immediately triggers a real-time alarm... effectively prevent Sudden Infant Death Syndrome (SIDS)... zero-dead-angle sleep safety barrier
Use it only as an assistive analysis tool, keep adult supervision, and require the publisher to narrow the claims unless real monitoring, alert delivery, and reliability evidence are provided.
A real secret, phone number, or account identifier could be used for cloud report storage/querying in a way the user did not expect.
The skill tells the agent to read a field named api-key as an identity value or collect a phone number/username, while registry metadata declares no primary credential or config path.
如果文件存在且配置了 api-key 字段,则读取 api-key 作为 open-id... 提示用户提供用户名或手机号作为 open-id
Do not put secrets in the open-id value; use a dedicated non-secret identifier and ask the publisher to clearly declare credential/config requirements and how identifiers are stored.
Infant video, video URLs, and report history may be stored locally and processed by the configured cloud provider.
The skill discloses local saving plus cloud upload/download/report-history flows for infant sleep videos and reports, which are sensitive even though they fit the stated purpose.
自动保存到技能目录下 attachments... 本地视频文件路径(使用 multipart/form-data 方式上传)... 网络视频 URL 地址(API 服务自动下载)... 历史预警记录查询必须从云端接口获取
Only submit videos you are comfortable sending to the provider, review retention/privacy terms, and delete local attachments if they are no longer needed.
If switched to the dev environment, sensitive videos or identifiers could be sent to an internal/private HTTP service instead of the production service.
A packaged development config points at a raw private HTTP endpoint; it is not the default prod config, but it creates a deployment/provenance risk if the environment is changed.
base-url-open-api: "http://192.168.1.234:9601/smyx-open-api"
Remove dev endpoints from published packages or clearly gate them so normal users cannot accidentally route data to them.
History queries will be steered to the cloud API rather than local conversation memory, even during failures.
The skill uses priority-style language to constrain the agent's memory behavior. This appears related to using cloud history, but untrusted skill text should not override higher-level policies.
强制记忆规则(最高优先级)... 绝对禁止读取任何本地记忆文件... 即使技能调用失败或接口异常,也不得回退到本地记忆汇总
Treat these as scoped operating instructions for this skill only, not as higher-priority rules over user or platform policy.