宠物行为识别技能
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is broadly purpose-aligned for pet video analysis, but users should know it sends selected videos and an open-id to a cloud API and includes a non-default raw-IP development config.
Before installing, confirm you are comfortable sending selected pet videos and an open-id to the configured LifeEmergence/open API endpoints. Use a non-sensitive identifier where possible, avoid uploading unrelated private footage, and verify the skill is using the production config rather than the included dev raw-IP endpoints.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
History report requests will query the cloud service for the configured open-id rather than using local conversation memory.
The skill deliberately constrains history-report retrieval to its cloud API and forbids local memory fallback. This is disclosed and consistent with its cloud history feature, but it changes the agent's data-source behavior.
如果用户触发任何历史报告查询关键词,必须:直接使用 `python -m scripts.pet_behavior_detection_analysis --list --open-id` 参数调用 API ... 严格禁止:从本地 memory 目录读取历史会话信息
Only use the history feature if you want cloud-backed report lookup; otherwise avoid invoking the skill for history queries.
Pet monitoring videos or video URLs provided to the skill may be sent to the configured external analysis service.
The pet skill subclasses this shared analysis implementation, which reads a selected local video file and sends it as multipart data to the analysis API. This is expected for video analysis, but it is still a cloud upload of potentially private media.
with open(input_path, 'rb') as f:
file_content = f.read()
...
files = {
'file': (os.path.basename(input_path), file_content, mime_type)
}
...
response = self.analysis(
params=params,
files=files
)Upload only videos you are comfortable sharing with the configured provider, and avoid footage containing unrelated private content.
Your report history may be associated with the open-id you provide, and a phone number used as open-id is personal information.
The skill uses an open-id, possibly sourced from a config field or provided as a username/phone number, to save and query reports. This is purpose-aligned account identification, but it is privacy-relevant.
如果文件存在且配置了 api-key 字段,则读取 api-key 作为 open-id ... 必须暂停执行,明确提示用户提供用户名或手机号作为 open-id
Use the least-sensitive identifier accepted by the service, and do not put unrelated API keys or secrets in the open-id field.
If the environment were changed to dev, API calls could go to a private raw-IP HTTP endpoint instead of the production service.
A development config contains raw private-IP HTTP endpoints. The default config in the artifacts sets env: prod, so there is no evidence this is used by default, but it is a configuration/provenance item worth checking.
base-url-open-api: "http://192.168.1.234:9601/smyx-open-api"
Keep the skill on the intended production config and remove or audit unused dev/test configs before deployment.
A local copy of uploaded media may remain in the skill directory after analysis.
The skill says uploaded attachments or videos are automatically saved under the skill directory. This is scoped and expected for processing, but retention and cleanup are not specified.
如果用户上传了附件或者视频文件,则自动保存到技能目录下 attachments
Delete saved attachments when no longer needed, especially if the video contains private home footage.