Back to skill
Skillv1.0.0
ClawScan security
Respiratory Symptom Smart Recognition Tool | 呼吸道症状智能识别工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 17, 2026, 4:35 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill claims to do video-based respiratory symptom detection and the code mostly implements that, but there are several mismatches and surprising behaviors (undeclared environment access, local persistence, heavy dependency footprint, and required user-video upload to remote APIs) that the user should review before installing or sending sensitive videos.
- Guidance
- Key points before installing or using this skill: - Privacy: The skill uploads video files (potentially showing people's faces and breathing) to remote AI APIs. Only upload videos you are allowed to share and avoid sensitive personal data unless you trust the remote service and its data handling policies. - Undeclared config/credentials: The manifest lists no required env vars, but the code will read environment variables (OPENCLAW_WORKSPACE, OPENCLAW_SENDER_OPEN_ID, FEISHU_OPEN_ID) and module config.yaml files that may contain API URLs and api-key values. Check all config files (skills/smyx_common/scripts/config.yaml and skills/{this_skill}/skills/smyx_common/scripts/config.yaml) for endpoints or keys before running. - Local persistence: The skill will save uploaded attachments to its attachments directory and the shared smyx_common DAO will create a SQLite DB under the workspace data directory. If you run it in a shared workspace, expect persistent files. If you want containment, run the skill in an isolated workspace or container. - Incoherent rules: SKILL.md forbids reading local memory, but the code contains local storage and configuration loaders. Ask the author to clarify the intended behavior (where history is saved, and what the prohibition on local memory means in practice). - Dependencies: There are large requirements files but no install instructions. Decide how you will manage dependencies (virtualenv/container) and avoid auto-running untrusted install scripts. - API endpoints: The provided config files reference domains like lifeemergence.com and example dev/local IPs. Verify the production API URL before sending data; consider auditing the remote API provider's privacy/security practices. If you are not comfortable with any of the above, do not upload real patient or sensitive videos and run the skill in an isolated environment. If possible, request from the skill author explicit documentation of runtime network endpoints, what data is transmitted, retention policies, and confirm the intended handling of local memory vs. cloud history.
- Findings
[no_pre_scan_findings] expected: Static pre-scan reported no injection signals. However, the code includes many HTTP request usages (RequestUtil/http_post) and file I/O—these are expected because the skill uploads videos and fetches/listing reports from remote AI services.
Review Dimensions
- Purpose & Capability
- noteThe name/description (video-based respiratory symptom recognition) aligns with the provided scripts: analysis entrypoints, face/respiratory modules, and API client code all implement video upload and remote analysis. However, the skill declares no required environment variables or credentials while its code expects/reads configuration files, environment variables (e.g. OPENCLAW_WORKSPACE, OPENCLAW_SENDER_OPEN_ID, FEISHU_OPEN_ID) and can use API keys present in config files. That mismatch (no declared env/credentials but runtime reliance on them) is surprising and reduces transparency.
- Instruction Scope
- concernSKILL.md contains explicit runtime rules (forbid reading local memory, strict open-id retrieval flow, auto-save attachments) but the codebase also includes a local SQLite DAO, utilities to read module config.yaml files, and logic that will read environment variables (CURRENT__OPEN_ID) and module config files under skills/smyx_common. The instruction to never read local memory contrasts with the presence of local storage logic; the skill will upload user videos to remote API endpoints (expected for remote analysis) but that is sensitive and must be considered. SKILL.md forbids falling back to local memory for history, yet the code contains local persistence utilities—this incoherence should be clarified.
- Install Mechanism
- concernThere is no install specification (lowest-risk delivery), but the repository contains multiple requirements.txt files and a large common dependency list (skills/smyx_common/requirements.txt) implying substantial Python packages will be needed at runtime. Without an install spec, users won't know whether dependencies will be installed automatically or are expected to exist. The dependency footprint is large relative to a single recognition script and deserves attention.
- Credentials
- concernThe skill declares no required env vars or primary credential, but code reads and uses several environment/config sources: OPENCLAW_WORKSPACE, OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID, and ApiEnum/ConstantEnum values loaded from module config.yaml files (which may include API URLs and api-key fields). The SKILL.md enforces an open-id retrieval flow (from two config.yaml locations or explicit user input) and forbids generating defaults, but the code will accept open-id via environment and will also use API endpoints and api-keys from config files if present. The lack of declared credentials is disproportionate to the actual runtime requirements and reduces transparency about what secrets might be used.
- Persistence & Privilege
- notealways:false (no forced inclusion). The skill writes uploaded attachments to a local attachments directory and the common library includes a DAO that creates a local SQLite database under a workspace data directory. That gives the skill local persistent storage (files and DB) scoped to its workspace; this is not necessarily malicious but contrasts with SKILL.md's ban on reading local memory and should be understood by the user. The skill does not request elevated platform privileges or modify other skills' configs.