ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pet Body Condition & Health Analysis Skill | 宠物体态健康分析技能

v1.0.0

Identifies obesity, emaciation, external injuries, skin abnormalities, and abnormal mental states, helping pet owners detect health issues promptly. | 宠物体态健康...

0· 20·0 current·0 all-time
bysmyx-skills@18072937735
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and instructions align with the stated purpose: scripts call remote analysis APIs, accept local files or URLs, and format reports. Including a face-analysis submodule for reuse is plausible. However the repo contains common modules (smyx_common) providing local DB/DAO and configuration handling that are broader than a minimal image-upload-and-forward tool — acceptable for a production integration but heavier than the simple feature description implies.
!
Instruction Scope
SKILL.md imposes strict rules (e.g., 'absolutely forbid reading any local memory files' and 'never read LanceDB') but the codebase includes local config loading (YamlUtil.load will create a config.yaml if missing) and a local DAO/SQLite layer that creates/uses files under workspace/data. The runtime instructions and code therefore disagree: the skill will read/initialize config files and may create local DB files even if the SKILL.md forbids local memory access.
Install Mechanism
There is no install spec (instruction-only), which reduces install risk. However the package includes large requirements lists in skills/smyx_common/requirements.txt and others (many dependencies) — installing those would be substantial. No remote download/extract steps are present in the skill manifest itself.
Credentials
The skill declares no required environment variables, but its configuration logic reads environment variables if present (OPENCLAW_WORKSPACE, OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID). The SKILL.md requires obtaining an 'open-id' (user id) from local config files or the user; API keys are optional but the skill will read api-key fields from config.yaml if present. The code will send media and identifiers to external API endpoints (configured via smyx_common config), so sensitive data (media, open-id, optional api-key) may be transmitted — this is proportionate to the purpose but must be acknowledged by the user.
!
Persistence & Privilege
The code can create persistent files: YamlUtil.load will create config.yaml if missing, and the DAO creates/uses a SQLite DB under a workspace/data path. The skill also documents automatically saving uploaded attachments into an attachments directory. The skill does not require 'always: true', but it will create persistent local state and write files to the workspace without an explicit install step.
What to consider before installing
This skill does what it says (upload images/video to a backend API and return structured pet-health reports), but note the following before installing or using it: - Network uploads: user media (images/videos) and the provided 'open-id' will be sent to the configured remote API (default config points to external lifeemergence domains). If you need privacy, do not upload sensitive images or identifiers to that backend. - Local files created: the code will create/read configuration files (config.yaml) and may create a local SQLite DB under the workspace/data directory. The SKILL.md forbids reading local memory, but the implementation still initializes and uses local config/DB — this mismatch is important. - Credentials: API keys are optional but can be read from config files. If you place secrets in those config files be aware they are used for remote API calls. - No installer is provided, but the repository includes many dependency pins; running it in your environment may pull in many packages. What to do next: if you plan to use this skill, 1) confirm the target backend URL and who operates it; 2) review and, if desired, edit the config.yaml files to point to your own trusted API or remove/blank any third-party endpoints; 3) run the skill in an isolated environment (e.g., container) if you want to limit its ability to create files or access host data; 4) if you need the SKILL.md promise (never read local memory), ask the author to remove/simplify the local DB/config creation or provide proof that the code never touches local memory storage. If any of these behaviors are unacceptable, do not install or run the skill.
!
skills/smyx_common/scripts/config-dev.yaml:2
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk973zmxts4ggxqj6708rwctxts84zb37

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments