Eyes · 大眼看世界
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, the skill can send messages to the configured chat/channel and update its own cron settings during an upgrade flow.
The skill instructs the agent to use OpenClaw CLI tools to send segmented messages and, after a user-requested update, adjust its cron timeout settings. This is aligned with the notification purpose but gives the skill practical authority to post to configured channels and modify its own scheduled jobs.
openclaw message send --channel "$channel" --target "$target_id" --message "消息内容" ... openclaw cron edit <job-id> --timeout-seconds <value>
Confirm the channel/target before installation and review update prompts or cron edits if you use the upgrade command.
The skill can keep sending scheduled summaries after installation until the cron jobs are removed or disabled.
The reference installer defines recurring cron jobs for morning, hourly, and evening summaries. This is disclosed and central to the skill's purpose, but it is persistent background automation.
openclaw cron add \ --name eyes-morning \ --cron "0 8 * * *" ... --session isolated
Install the cron jobs only if you want ongoing automated pushes, and periodically review `openclaw cron list` for active Eyes jobs.
Old sent-event records or preference/state files may affect future summaries or deduplication.
The skill keeps local runtime state for deduplication, retry tracking, and installation marking. This is bounded to Eyes-related files and supports the stated workflow, but persisted context can influence future runs.
运行时(workspace/memory/) - `eyes-sent-events.md` - 已推送事件(去重) ... `eyes-retry-queue.md` ... `eyes-installed`
Review or clear the Eyes files under workspace memory if summaries look stale, biased, or if you uninstall the scheduled jobs.
It may be harder to tell exactly which packaged version is installed or being updated.
The registry metadata supplied for review says version 5.1.1, while the packaged _meta.json says 5.0.17. This is a packaging/provenance consistency issue, not evidence of malicious behavior.
"slug": "eyes", "version": "5.0.17"
Verify the installed version after updating and inspect the packaged files if version consistency matters to you.