Skillv1.0.0

ClawScan security

Stranger Recognition Skill | 陌生人识别技能 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 2:11 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (cloud-based stranger recognition) but contains several incoherent or risky choices: it reads workspace config/envs that were not declared, can create or modify config files, and will upload local media to remote APIs — the combination merits caution before installing.
Guidance: Key points to consider before installing or running this skill: - Data exfiltration risk: The skill uploads images/videos to remote APIs (RequestUtil.http_post). Confirm the actual API endpoints (skills/smyx_common/scripts/config.yaml and ApiEnum base URLs) and the operator/owner of those endpoints before sending sensitive media or people-identifying data. - Undeclared config/env access: Although the skill declares no required credentials, it reads environment variables and looks up API keys in skills/smyx_common/scripts/config.yaml (first in the skill, then workspace). Review that file and any workspace-level config to ensure no sensitive credentials would be used or leaked. - Contradictory instructions: SKILL.md forbids reading local memory, yet the code will read/write config.yaml files and read environment variables. Expect these behaviors despite the prohibition in the docs. - File I/O behavior: The skill will read local media files you point it at (expected) and will save attachments into an attachments directory. It may also create config.yaml files if missing. If you are running in a shared environment, be cautious about which directories it can access. - Privacy & legal: Facial recognition involves personal data. Ensure you have lawful basis to process faces and that storage/retention settings meet privacy/regulatory requirements. - Verify implementation details before use: Inspect skills/smyx_common/scripts/util.py (RequestUtil) to see where HTTP posts go and how authentication is handled. Confirm MAX_FILE_SIZE and supported formats — SKILL.md claims 100MB but code/config default is 10MB (inconsistency). - Operational suggestion: Run the skill in a controlled environment (isolated workspace or sandbox) first, review network destinations, and avoid using real-world surveillance footage or real personal identifiers until you confirm endpoints and retention policies.

Review Dimensions

Purpose & Capability: concernThe skill's purpose (facial stranger recognition) matches the included code that sends media to a remote analysis API. However there are mismatches: SKILL.md declares no required env vars/credentials yet the code reads environment variables (OPENCLAW_SENDER_OPEN_ID, FEISHU_OPEN_ID) and expects api-key/configs in skills/smyx_common/scripts/config.yaml. The repository also contains unrelated docs and endpoints (pet health, TCM face analysis), indicating copy-paste reuse rather than a minimal, purpose-specific implementation.
Instruction Scope: concernRuntime instructions require obtaining an open-id by reading configuration files in the skill and workspace (skills/smyx_common/scripts/config.yaml) and mandate that historical reports be fetched from cloud APIs. The code will read local files (media inputs) and potentially any config files under the indicated paths. SKILL.md explicitly forbids reading local memory files, but the codebase will read/create config.yaml files and environment variables — a direct contradiction between instructions and actual code behavior.
Install Mechanism: noteThere is no install spec (instruction-only from the platform perspective) but the bundle includes many Python modules and a large requirements.txt under skills/smyx_common. That means installing/using the skill likely requires installing many dependencies manually; absence of an install step is a deployment/usability concern but not an immediate delivery-risk indicator by itself.
Credentials: concernThe metadata declares no required environment variables or primary credential, yet the code reads environment variables (OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID) and loads API keys from YAML config files. The skill will access workspace-level config (potentially exposing other skills' API settings). Asking the user for open-id (username/phone) is reasonable for multi-tenant APIs, but the path-based config lookup and implicit env usage are not declared and broaden the data the skill can access.
Persistence & Privilege: noteThe skill does not set always:true and is user-invocable only. However BaseEnum.YamlUtil.load will create config.yaml files if they don't exist and the skill saves uploaded attachments into its attachments directory — both are persistent filesystem actions. This behavior is not plainly documented as a side-effect and could create or modify files in skill directories.