Lingxi
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Lingxi is a broad orchestration and dashboard skill that can store user conversations, use powerful external credentials, run background services, and publish content, but the provided artifacts do not clearly bound those behaviors.
Review this skill carefully before installing or following its setup steps. Do not provide GitHub, bot, or API tokens unless you understand exactly what permissions they grant. Keep the dashboard local unless you add strong authentication and HTTPS, and require manual approval before any social-media posting or other account-changing action.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If intent is misread or output is not reviewed, the agent could publish generated content to a social account before the user has a chance to approve it.
The skill explicitly frames execution as fully automatic and includes public social publishing as a role capability and example workflow.
“一句话,全自动” ... “📱 运营专家 | 小红书、微博、抖音发布” ... 示例: “帮我写个小红书文案,配张性感自拍,然后发布”
Require explicit user confirmation before any public posting, account mutation, bulk action, or use of third-party publishing tools.
A broadly scoped token could let the system mutate repositories, send messages through connected bots, or spend/use LLM provider quota beyond the user’s expectation.
The README documents use of high-impact credentials, including GitHub push tokens, messaging bot tokens, and LLM API keys, but does not define least-privilege scopes or detailed handling.
| GitHub 推送 | GitHub Token | `~/.github_token` | 🔴 高 | ... | 飞书/钉钉/QQ 机器人 | 各自平台 Token | ... | ... | 大模型调用 | 阿里云 API Key | 环境变量 | 🔴 高 |
Declare these credentials in metadata, document exact scopes, use least-privilege tokens, avoid plaintext token files where possible, and make each credential-dependent action opt-in.
A user following the README would be running code and installing dependencies that were not available for this review.
The package under review contains only documentation, while the setup instructions rely on external/local files and dependencies not present in the submitted artifacts.
“cd /root/lingxi-ai-latest” ... “pip3 install -r requirements.txt --break-system-packages” ... “cd dashboard/v3 && python3 server.py &”
Provide the referenced code, dependency files, and provenance in the package, pin dependencies, and avoid `--break-system-packages` unless clearly justified.
Sensitive or incorrect information could be stored and later reused across tasks, affecting future outputs or exposing private context in the dashboard.
The skill describes persistent multi-level memory and automatic memory processing, but the artifacts do not clearly specify retention, deletion, opt-in, exclusions, or how memories are trusted in future tasks.
“MindCore 记忆核心 - 三级记忆系统 - STM(短期)/MTM(中期)/LTM(长期)” ... “记忆合并去重” ... “会话上下文 - 支持多会话记忆隔离”
Make memory opt-in or clearly scoped, document retention and deletion controls, isolate memories by user/channel, and treat stored memories as untrusted context.
Dashboard tokens may leak through browser history, logs, or referrers, and remote access could expose task or memory data if not carefully protected.
The dashboard can be exposed remotely and uses a token in the URL while receiving task records that include user input, user ID, and channel information.
“远程访问: http://YOUR_SERVER_IP:8765/?token=YOUR_TOKEN” ... “record_to_dashboard(user_input=..., user_id=..., channel=...)”
Default to localhost, use HTTPS, put tokens in authorization headers instead of URLs, add origin/CSRF protections, and document what data crosses each channel boundary.
Users may underestimate what interaction data is stored or displayed in the dashboard.
The privacy promise is broad, but the same artifact shows task logging of user input, user identifiers, and channel metadata.
“不收集用户隐私数据” ... “record_to_dashboard(user_input="用户输入", user_id="用户 ID", channel="feishu"...)”
Clarify whether data is stored locally or transmitted, list exact data fields recorded, and avoid broad privacy claims unless they match the implementation.
The system could continue operating or changing its behavior after the immediate user request, especially if the dashboard or background services are started.
The skill describes ongoing autonomous optimization and periodic health checks, but does not clearly document boundaries, stop controls, or rollback behavior.
“EvoMind 自改进 - 系统自优化 - 根据执行反馈自动调整” ... “健康检查 - 每 5 分钟自动检查系统状态”
Require explicit opt-in for background operation and self-improvement, provide clear start/stop/uninstall instructions, and log all autonomous changes.