Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cinmoore Skill
v1.0.0神眸品牌摄像头技能:相机PTZ控制;图像/视频数据采集;多模态大模型图像/视频分析、图像编辑、智能寻物定位;飞书推送;自定义检测事件;基于视频分析的自动vlog生成。使用场景:(1) 控制相机移动和录制 (2) 抓取图像和视频 (3) 分析图像/视频内容 (4) 智能寻物定位 (5) 图像编辑 (6) 发送消息到...
⭐ 0· 55·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md functionality (PTZ control, capture, AI analysis, Feishu push, vlog generation) matches the skill name/description. However, the skill expects a local configuration file containing Feishu credentials and a DashScope API key (for models), but the registry metadata lists no required env vars or credentials — an inconsistency between claimed needs and declared requirements.
Instruction Scope
Runtime instructions instruct the agent/user to run python modules (python -m cinmoore_skill.*) and to create a cinmoore_config.yaml containing device_id, feishu app_id/app_secret, and models.api_key. The SKILL.md also directs reading and writing local files under temp\ and pushing data to external services (Feishu and DashScope). The instructions reference modules and files that are not present in the skill bundle, giving the agent/user broad discretion to install/run external code.
Install Mechanism
The registry includes an install command that runs pip install on a relative wheel path ('python -m pip install wheel\cinmoore_skill-1.0.0-py3-none-any.whl') on Windows. No wheel file is bundled with the skill. This is suspicious because it implies relying on an external/local wheel (not from a known registry or release host); if executed, pip-installing an unknown wheel would run arbitrary code on the host.
Credentials
The registry declares no required environment variables or primary credential, but the SKILL.md requires a config file with Feishu app_id/app_secret and a DashScope API key. Secrets are expected to be stored in a local YAML rather than declared in the skill manifest, which hides needed privileges and is disproportionate to the declared metadata.
Persistence & Privilege
The skill does not request always:true, does not claim system-wide persistence, and is user-invocable only. It does instruct storing outputs and configs in its own directory (cinmoore-skill and temp\), which is normal for a local camera integration.
What to consider before installing
This skill appears to need Feishu credentials and a DashScope API key (sensitive secrets) and expects you to install a wheel that is not bundled with the skill. Before installing or using it: (1) Ask the publisher for the actual wheel/source code and verify its origin and contents (check a signed release or GitHub release) rather than allowing an arbitrary pip install; (2) Do not provide Feishu app_secret or DashScope API keys until you verify the code and trust the publisher; (3) Prefer running first in an isolated/sandboxed environment or VM; (4) If you must test, inspect the wheel or source for network calls, credential exfiltration, or unexpected system access; (5) Request the owner to update the skill manifest to declare required credentials and provide a safe install method (official PyPI/GitHub release). These discrepancies (missing declared credentials and a referenced-but-missing wheel) are the main red flags.Like a lobster shell, security has layers — review code before you run it.
latestvk976eat52zsbj1df12ghjf61qd842g0b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🖼️ Clawdis
Binspython