Passive Vital Signs Monitoring Tool | 无感生命体征监测分析工具
Non-contact detection of heart rate, respiration, blood oxygen, and heart rate variability. No wearable devices are required; monitoring is achieved solely t...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 18 · 1 current installs · 1 all-time installs
by生命涌现@raymond758
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code implements contactless vital-sign analysis and re-uses a face-analysis helper; that aligns with the description. However the repository also contains a local DAO/SQLite layer, many common utilities and a face-analysis subskill—capabilities that go beyond a minimal analyzer. The skill declares no required environment variables, yet the code reads OpenClaw-related env vars (OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID) and relies on ApiEnum base URLs from config files. This mismatch between declared requirements and required runtime configuration is incoherent.
Instruction Scope
SKILL.md imposes strict runtime rules (e.g., absolutely forbid reading local memory) while also instructing the agent to automatically save uploaded attachments to the skill's attachments directory and to always fetch historical reports from remote APIs. The instructions force the agent to extract open-id from message metadata or environment vars and to run local scripts (python -m scripts.contactless_vital_signs_monitoring). That gives the skill authority to write files and make network calls; the combination of forbidding local-memory reads but enabling local file writes and local DB code is internally inconsistent and unusual.
Install Mechanism
There is no install spec (instruction-only in registry), which reduces automatic install risk. However the repository includes large requirements lists (face_analysis and smyx_common) and many Python modules; to run the skill you would likely need to install many packages. That is not inherently malicious but is heavy and should be done in a controlled environment.
Credentials
The registry lists no required environment variables, yet the code explicitly reads OpenClaw and Feishu environment variables (e.g., OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID). Additionally, repository config files contain sensitive-looking values (e.g., feishu-app--secret and database connection strings such as mysql+pymysql://root:root@... in smyx_common config files). The skill also builds URLs to external services (lifeemergence.com and local IPs) — network access and these undeclared credentials are disproportionate to what a simple monitoring helper should require and should be disclosed.
Persistence & Privilege
The codebase includes a local SQLite DAO layer (skills/smyx_common/scripts/dao.py) and logic that writes files (e.g., reading/writing uploads and results, and creating a data directory). SKILL.md forbids reading local memory but the code supports local storage and local DB usage, an internal contradiction. The skill does not request 'always' privilege, but it does persist data locally and call external APIs — both increase persistence/privilege footprint and the potential blast radius if the endpoints or code are untrusted.
What to consider before installing
Key things to consider before installing or running this skill:
- Mismatched declarations: The skill claims no required environment variables, but the code reads OpenClaw/Feishu env vars (OPENCLAW_SENDER_OPEN_ID/OPENCLAW_SENDER_USERNAME/FEISHU_OPEN_ID) and SKILL.md instructs the agent to extract open-id from message metadata. Expect to supply identifiers (open-id) and/or env vars at runtime even though the registry did not declare them.
- Local persistence vs. prohibition: SKILL.md forbids reading local memory, yet the repository includes local persistence code (SQLite DAO) and instructions to save uploaded attachments to an attachments directory. Decide whether you trust the skill to store sensitive video/health data locally.
- Embedded secrets and endpoints: Config files contain secrets and DB connection strings (e.g., smyx_common config.yaml/config-dev.yaml include a Feishu secret and mysql://root:root@... entries) and point to external domains (lifeemergence.com and internal IPs). Treat those embedded values as indicators you should verify the intended backend; do not assume they are safe production credentials.
- Network behavior: The skill will POST video files or video URLs to remote API endpoints. If you don't trust the endpoints (or cannot verify them), do not upload real personal videos or identifiers. Review skills/smyx_common/scripts/util.py (RequestUtil) to confirm exactly what data is sent and to which hosts.
- Operational recommendations:
- Only run this skill in an isolated, network-restricted environment (sandbox) until you audit the code and endpoints.
- Inspect the RequestUtil/ApiService code paths to confirm exactly which headers and fields (open-id, filenames, metadata) are transmitted.
- Do not provide real personal identifiers (open-id, phone number) until you confirm backend ownership and privacy policy.
- Remove or rotate any embedded secrets from files you control; treat repository-embedded secrets as compromised.
- Ask the publisher for provenance: who operates the API endpoints and where data is stored/retained. If you cannot verify the provider, avoid using it with real personal data.
If you want, I can (1) list the exact files/lines that reference environment variables and embedded secrets, (2) extract and summarize all external endpoints used by the code, or (3) highlight the network-call code paths (RequestUtil) for manual review.skills/smyx_common/scripts/config-dev.yaml:3
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.2
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Passive Vital Signs Monitoring Tool | 无感生命体征监测分析工具
⚠️ 强制记忆规则(最高优先级)
本技能明确约定:
- 绝对禁止读取任何本地记忆文件:包括但不限于
memory/YYYY-MM-DD.md、MEMORY.md等本地文件 - 绝对禁止从 LanceDB 长期记忆中检索信息
- 所有历史报告查询必须从云端接口获取,不得使用本地记忆中的历史数据
- 即使技能调用失败或接口异常,也不得回退到本地记忆汇总
任务目标
- 本 Skill 用于:通过普通摄像头视频画面进行非接触生命体征监测
- 能力包含:心率检测、呼吸频率检测、血氧估算、心率变异性分析,全程无需穿戴任何设备
- 技术原理:基于光学体积描记法,通过皮肤微小颜色变化提取血流信号
- 适用场景:居家健康监测、老人远程看护、日常健康筛查
- 触发条件:
- 默认触发:当用户提供视频需要进行非接触生命体征监测时,默认触发本技能
- 当用户明确需要无感监测、生命体征检测时,提及心率检测、呼吸监测、血氧监测、非接触监测、无感监测等关键词,并且上传了视频文件
- 当用户提及以下关键词时,自动触发历史报告查询功能 :查看历史监测报告、生命体征报告清单、监测报告列表、查询历史监测报告、显示所有监测报告、生命体征分析报告,查询无感生命体征监测分析报告
- 自动行为:
- 如果用户上传了附件或者视频文件,则自动保存到技能目录下 attachments
- ⚠️ 强制数据获取规则(次高优先级):如果用户触发任何历史报告查询关键词(如"查看所有监测报告"、"显示所有体征报告"、"
查看历史报告"等),必须:
- 直接使用
python -m scripts.contactless_vital_signs_monitoring --list --open-id {从消息上下文获取 open-id}参数调用 API 查询云端的历史报告数据 - 严格禁止:从本地 memory 目录读取历史会话信息、严格禁止手动汇总本地记录中的报告、严格禁止从长期记忆中提取报告
- 必须统一从云端接口获取最新完整数据,然后以 Markdown 表格格式输出结果
- 如果用户未明确提供 open-id,优先从 OpenClaw 消息上下文获取 sender id(如 metadata 中的 id 字段),然后尝试从当前消息上下文的环境变量 OPENCLAW_SENDER_ID 或者 sender_id 获取,无法获取时则必须用户提供用户名或者手机号作为 open-id
- 直接使用
前置准备
- 依赖说明:scripts 脚本所需的依赖包及版本
requests>=2.28.0
监测要求(获得准确结果的前提)
为了获得较准确的监测结果,请确保:
- 人脸正对摄像头,距离 30-50 厘米
- 光线充足,面部光照均匀,避免强光直射和阴影
- 监测时长:推荐 10-30 秒视频,最短不低于 3 秒
- 无需特殊穿戴,正常着装即可,避免口罩遮挡口鼻
操作步骤
🔒 open-id 获取流程控制(强制执行,防止遗漏)
在执行无感生命体征监测分析前,必须按以下优先级顺序获取 open-id:
第 1 步:检查用户是否在消息中明确提供了 open-id
↓ (未提供)
第 2 步:从当前消息上下文的环境变量中获取 OPENCLAW_SENDER_ID
↓ (无法获取)
第 3 步:从当前消息上下文的环境变量中获取 sender_id
↓ (无法获取)
第 4 步:从 OpenClaw 消息元数据中获取 id 字段(如 metadata 中的 id/session_id/user_id等)作为 open-id
↓ (无法获取)
第 5 步:❗ 必须暂停执行,明确提示用户提供用户名或手机号作为 open-id
⚠️ 关键约束:
- 禁止自行假设或生成 open-id 值(如 vital123、monitor456 等)
- 禁止跳过 open-id 验证直接调用 API
- 必须在获取到有效 open-id 后才能继续执行分析
- 如果用户拒绝提供 open-id,说明用途(用于保存和查询监测报告记录),并询问是否继续
- 标准流程:
- 准备视频输入
- 提供本地视频文件路径或网络视频 URL
- 确保满足上述监测要求,获得更准确结果
- 获取 open-id(强制执行)
- 按上述流程控制获取 open-id
- 如无法获取,必须提示用户提供用户名或手机号
- 执行无感生命体征监测分析
- 调用
-m scripts.contactless_vital_signs_monitoring处理视频(必须在技能根目录下运行脚本) - 参数说明:
--input: 本地视频文件路径(使用 multipart/form-data 方式上传)--url: 网络视频 URL 地址(API 服务自动下载)--open-id: 当前用户的 OpenID/UserId(必填,按上述流程获取)--list: 显示历史无感生命体征监测分析报告列表清单(可以输入起始日期参数过滤数据范围)--api-key: API 访问密钥(可选)--api-url: API 服务地址(可选,使用默认值)--detail: 输出详细程度(basic/standard/json,默认 json)--output: 结果输出文件路径(可选)
- 调用
- 查看分析结果
- 接收结构化的无感生命体征监测分析报告
- 包含:视频基本信息、心率、呼吸频率、血氧估算、心率变异性、整体评估、健康建议
- 准备视频输入
资源索引
- 必要脚本:见 scripts/contactless_vital_signs_monitoring.py(用途:调用 API 进行无感生命体征监测分析,本地文件使用 multipart/form-data 方式上传,网络 URL 由 API 服务自动下载)
- 配置文件:见 scripts/config.py(用途:配置 API 地址、默认参数和视频格式限制)
- 领域参考:见 references/api_doc.md(何时读取:需要了解 API 接口详细规范和错误码时)
注意事项
- 仅在需要时读取参考文档,保持上下文简洁
- 支持格式:mp4/avi/mov,推荐时长 10-30 秒,最大 100MB
- API 密钥可选,如果通过参数传入则必须确保调用鉴权成功,否则忽略鉴权
- 重要提示:本分析结果仅供健康参考,不能替代专业医疗测量和医生诊断,如有异常请及时就医
- 禁止临时生成脚本,只能用技能本身的脚本
- 传入的网路地址参数,不需要下载本地,默认地址都是公网地址,api 服务会自动下载
- 当显示历史分析报告清单的时候,从数据 json 中提取字段 reportImageUrl 作为超链接地址,使用 Markdown 表格格式输出,包含"
报告名称"、"视频时长"、"分析时间"、"心率"、"点击查看"五列,其中"报告名称"列使用
无感生命体征监测报告-{记录id}形式拼接, " 点击查看"列使用[🔗 查看报告](reportImageUrl)格式的超链接,用户点击即可直接跳转到对应的完整报告页面。 - 表格输出示例:
报告名称 视频时长 分析时间 心率(次/分) 点击查看 无感生命体征监测报告 -20260328221000001 15秒 2026-03-28 22:10:00 72 🔗 查看报告
使用示例
# 分析本地视频(OpenClaw UI 上下文,使用 metadata id 作为 open-id)
python -m scripts.contactless_vital_signs_monitoring --input /path/to/face.mp4 --open-id openclaw-control-ui
# 分析网络视频(OpenClaw UI 上下文,使用 metadata id 作为 open-id)
python -m scripts.contactless_vital_signs_monitoring --url https://example.com/face.mp4 --open-id openclaw-control-ui
# 显示历史监测报告/显示监测报告清单列表/显示历史体征报告(自动触发关键词:查看历史监测报告、历史报告、监测报告清单等)
python -m scripts.contactless_vital_signs_monitoring --list --open-id openclaw-control-ui
# 输出精简报告
python -m scripts.contactless_vital_signs_monitoring --input face.mp4 --open-id your-open-id --detail basic
# 保存结果到文件
python -m scripts.contactless_vital_signs_monitoring --input face.mp4 --open-id your-open-id --output result.json
Files
31 totalSelect a file
Select a file to preview.
Comments
Loading comments…