Skillv1.0.0

ClawScan security

Pet Detection Skill | 宠物检测技能 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 2:10 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly implements pet detection via a remote API (consistent with its description) but contains several inconsistencies and unexpected behaviors — notably a hard prohibition in the instructions against reading local memory while the code reads/writes workspace config and creates a local SQLite DB and YAML files, and the skill will upload user media to external services; review before installing or running on sensitive data.
Guidance: Key points to consider before installing or running this skill: - Data exfiltration: The skill uploads user-provided media (local files or URLs) to remote API endpoints defined in the included config; if the media contain sensitive information (e.g., audio/video from inside your home), do not run it until you trust the remote host. The repo's default config references lifeemergence.com production/test URLs — verify and confirm the destination. - Inconsistent guarantees: SKILL.md explicitly forbids reading local memory, but the code will create/read YAML config files and a local SQLite DB in the workspace/data directory; these persistent writes break the stated prohibition. Expect local files to be created. - Credentials and open-id: The skill requires an open-id (CLI arg or read from config); it can also accept an API key. The registry metadata does not declare these env/credential needs — be cautious about providing any tokens or IDs. Prefer supplying a throwaway test open-id and avoid providing other credentials. - Large dependency surface: The package includes a big common library and a long requirements list. If you plan to install dependencies, review them and install in an isolated environment (container/VM) to limit exposure. - Recommended mitigations: run first in a sandboxed environment, inspect network traffic (or run with outbound network disabled) to confirm endpoints, inspect and sanitize config YAML files, and consider running against non-sensitive test media. If you require a privacy-preserving local solution, do not use this skill until you can confirm the API provider and hosting are trusted.

Review Dimensions

Purpose & Capability: noteThe name/description (pet detection for home monitoring) aligns with the code: scripts call a remote analysis API and format results. However the repo also contains a large face-analysis component and a broadly-shared 'smyx_common' library; while reuse is plausible, the presence of an unrelated 'face_analysis' skill and a large common utility surface increases the attack surface and is worth noting.
Instruction Scope: concernSKILL.md imposes strong runtime rules (forbid reading any local memory files, require open-id retrieval from specific config files, automatically save uploaded attachments to attachments/), but the code contradicts or expands that scope: the common library writes/loads YAML config files, the DAO component creates/uses a local SQLite DB under the workspace/data path, and YamlUtil.load will create config files if missing. The skill will also upload user-provided media (local files or URLs) to an external API. The instructions' prohibition against local memory reads is therefore inconsistent with the code behavior.
Install Mechanism: noteNo install specification (instruction-only) — reduces install-time risk. However the package includes a substantial requirements.txt (smyx_common) listing many dependencies; although not automatically installed, this large dependency list is disproportionate to a simple detection script and increases review burden if you decide to install them locally.
Credentials: concernMetadata declares no required env vars, but the code uses several environment values: OPENCLAW_SENDER_OPEN_ID / OPENCLAW_SENDER_USERNAME and OPENCLAW_WORKSPACE are referenced in ConstantEnum and Dao.get_db_path; config YAMLs include API base URLs and API key placeholders. The SKILL.md also requires an 'open-id' (passed as CLI arg or read from config). Sensitive data (open-id, optional api-key) may be used and media files will be sent to remote endpoints. The skill asks for open-id and may accept an API key but the environment/credential requirements are not declared in the registry metadata — this is a mismatch.
Persistence & Privilege: concernThe skill does not request 'always: true', but it will create/read files under the workspace (YamlUtil may create config.yaml files, the DAO creates a SQLite DB under workspace/data). The SKILL.md prohibition on using local memory conflicts with these persistent behaviors. This means the skill will have persistent presence in the workspace and may store analysis records locally.