Skillv1.0.0

ClawScan security

Pet Behavior Recognition Skill | 宠物行为识别技能 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 11:28 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (uploading or pointing to videos and calling remote pet-analysis APIs) but contains inconsistencies around local data access, local persistence, and environment usage that are not documented in SKILL.md and deserve caution.
Guidance: Key things to check before installing/using: - Data exfiltration risk: This skill uploads video files (or instructs the remote API to download a provided URL) to external servers (config shows lifeemergence/open API hosts). If videos contain sensitive content, presume they will leave your machine. - Local persistence mismatch: Despite SKILL.md forbidding reading local memory, the code includes a local SQLite DAO that will create/use a DB under the workspace data directory and will load/save YAML config files. If you cannot tolerate local storage of metadata or tokens, do not install/run this skill. - Environment variables: The skill reads environment variables (OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, OPENCLAW_WORKSPACE, FEISHU_OPEN_ID) even though SKILL.md declares none required. If those env vars exist they may be used automatically as the 'open-id' or to determine storage locations. Audit or clear them if needed. - Network behavior: Review skills/smyx_common/scripts/util.py (RequestUtil and related functions) to confirm exactly what headers/fields are sent to remote APIs and whether open-id or any tokens are included in requests. The SKILL.md depends on the remote service for history queries and report exports; verify the endpoints and ownership. - Provenance and trust: The skill source is 'unknown' and no homepage is provided. Consider running it in an isolated environment (sandbox or VM) first, examine network traffic (e.g., with a proxy), and inspect util.RequestUtil to see the exact API URLs and payloads before using with real videos or credentials. - If you proceed: avoid providing highly sensitive open-ids/phone numbers unless you trust the remote service; prefer using a throwaway/test open-id and test with non-sensitive videos. If you need a guarantee about local-memory access (as SKILL.md claims), request the author to remove local DB usage or to document and opt-in to local persistence explicitly. If you want, I can scan the util.py (RequestUtil) and the remainder of files for the exact HTTP request construction and any hidden endpoints or fields used in uploads — that would raise confidence and let me tell you exactly what metadata is transmitted.

Review Dimensions

Purpose & Capability: noteThe name/description (pet behavior recognition via server-side APIs) aligns with the code: scripts call remote analysis endpoints and accept local file or URL inputs. The included config points to plausible API hosts (lifeemergence/open API URLs). Having helper modules for face-analysis and shared utilities is coherent with the product family (health/analysis pipelines).
Instruction Scope: concernSKILL.md imposes strict runtime rules (absolute prohibition on reading local memory files and LanceDB, mandates open-id retrieval from specific config paths or direct user input). However, the codebase does read config files, loads YAML config under skills/smyx_common, and the DAO module creates/uses a local SQLite DB under workspace/data. That contradicts the SKILL.md 'absolute prohibition' on reading local memory. SKILL.md also says uploaded attachments will be saved to an attachments directory, but I could not find clear code that implements that exact behavior. The runtime instructions also require running local scripts (python -m scripts.pet_behavior_detection_analysis) which will read config, environment, and may persist data locally.
Install Mechanism: noteThere is no install spec (instruction-only install), which reduces installer-level risk. However, multiple requirements.txt files (especially skills/smyx_common/requirements.txt) list a very large dependency set; although these are not auto-installed by a declared installer, they indicate the code expects a heavy runtime environment. No remote archive downloads were declared.
Credentials: concernThe skill declares no required env vars, yet code reads environment variables (OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID, OPENCLAW_WORKSPACE) and may use them to set CURRENT__OPEN_ID or determine paths. SKILL.md's open-id acquisition flow does not mention environment variables as an allowed source, so there is a mismatch between declared requirements and actual env usage. The skill also expects (or can accept) an api-key/api-url for the remote service; sending video (potentially sensitive) and metadata to external endpoints is inherent to the feature and must be considered by users.
Persistence & Privilege: concernThe code includes a local DAO that creates/uses an SQLite DB under a workspace data directory and will create config YAML files if missing. This means the skill writes persistent files on disk (workspace/data/*.db, generated config.yaml). That behavior conflicts with the SKILL.md 'absolute prohibition' on reading local memory files (it forbids reading memory, but the package persists local DB/config). 'always: false' and normal autonomous invocation are fine, but the local persistence and potential storage of user/open_id/token fields increase its blast radius if misused.