Real-time Employee Absence Monitoring Skill | 人员离岗实时监测技能

This skill claims to call a cloud API for absence detection, which is reasonable, but there are several red flags you should consider before installing or running it: - Inconsistency: SKILL.md forbids reading local memory, yet the code reads workspace config files, environment variables, and can create a local SQLite DB and attachments. Ask the author which local files the skill will actually access and why local persistence is needed. - Data exfiltration risk: The scripts call remote API endpoints (configurable base URLs) and will upload media files (local video/image) to those endpoints. Verify the API endpoint (ApiEnum BASE_URL values) and that you trust the remote service before uploading any sensitive footage. Do not pass organization/employee credentials or private videos until you confirm the endpoint and privacy policy. - Credentials and config: The skill will read env vars and config YAML under the workspace; ensure these files do not contain unrelated secrets (API keys, DB URLs) before granting execution. Prefer providing only the minimal --open-id / --api-key at runtime rather than leaving broad workspace config populated. - Persistence: The skill will create files (attachments) and a local DB under the workspace; run this in an isolated environment or sandbox (or review and change file paths) if you do not want persistent artifacts stored in your primary workspace. - Dependency / installation: The package includes large requirements but no install instructions. If you intend to run it, install and review dependencies in an isolated virtual environment and inspect RequestUtil (skills/smyx_common/scripts/util.py) to confirm how HTTP requests are made and where data is sent. Recommended actions before use: 1. Request clarification from the publisher about why local DB/DAO and face-analysis components are bundled and whether they are required. 2. Inspect skills/smyx_common/scripts/util.py (especially RequestUtil) to confirm exact network endpoints, headers, and whether any credentials are automatically read or transmitted. 3. Run the skill in a sandboxed environment with dummy data first; do not use real employee footage until you confirm storage and retention policies for remote servers. 4. If you cannot verify endpoints and behavior, decline to install or disable autonomous invocation; require manual invocation and explicitly avoid supplying organizational secrets or unrestricted workspace config files. If you want, I can extract and summarize the RequestUtil and util.py implementations and list all places where network requests or file writes happen to help you decide.