Pet Detection Skill | 宠物检测技能
v1.0.1Detects cats, dogs, and birds appearing in the target area; supports video stream and image detection, suitable for home pet monitoring scenarios. | 宠物检测技能,检...
⭐ 0· 10·0 current·0 all-time
by生命涌现@raymond758
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The package claims to be a pet-detection skill but the repository bundles additional, unrelated capabilities (a full 'face_analysis' skill and a large shared 'smyx_common' library). Including the face-analysis skill, large dependency lists, and shared platform configuration is disproportionate for a simple pet detector and increases the attack surface and data-access scope.
Instruction Scope
SKILL.md contains strict runtime rules (forbid reading local memory, force cloud-only history queries, mandatory open-id resolution, automatic saving of attachments). The actual code does not consistently follow those constraints: (1) SKILL.md expects env names like OPENCLAW_SENDER_ID/sender_id, while the code reads OPENCLAW_SENDER_OPEN_ID / OPENCLAW_SENDER_USERNAME / FEISHU_OPEN_ID; (2) SKILL.md mandates auto-saving attachments to an attachments directory, but I found no code that implements an 'auto-save to attachments' step; (3) SKILL.md insists history queries must be done via a specific CLI invocation with --open-id, yet the show_analyze_list implementation ignores incoming open_id and simply calls skill.get_output_analysis_list() (open_id handling is inconsistent). These mismatches could lead the agent to ask users for identifiers or behave unexpectedly.
Install Mechanism
There is no install spec (instruction-only install), which limits automatic installs. However, multiple requirements.txt files are included with long dependency lists (including many transitive packages). If a user or integrator installs these dependencies, that adds significant surface area; the skill itself does not declare or request installation via a trusted release host.
Credentials
Declared requirements: none. Actual code reads environment/config values (ConstantEnum.init reads OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID). More importantly, repository configuration includes sensitive values in skills/smyx_common/scripts/config.yaml (e.g. a feishu-app secret and a database URL with credentials). Those embedded secrets are not justified by the SKILL.md and increase risk — the skill expects no credentials yet ships with them hard-coded in configs.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It may write files (scripts expect to read local media and optionally write outputs), and SKILL.md states attachments will be saved to an attachments directory, so the skill will create files if executed. There is no evidence it modifies other skills or system-wide settings.
Scan Findings in Context
[pre-scan-injection-signals] unexpected: Pre-scan reported: None detected. (No automatic injection patterns flagged.)
[hardcoded-credential-in-config] unexpected: skills/smyx_common/scripts/config.yaml contains a feishu-app--secret value and a database URL with root:root credentials. Hard-coded secrets in repo are not expected for a pet-detection skill and represent sensitive information leakage / poor secret management.
[bundled-unrelated-capability] unexpected: The skill bundle contains a full 'face_analysis' skill (including README, code, and requirements) that is unrelated to 'pet detection' and expands scope and dependencies.
[env-var-name-mismatch] unexpected: SKILL.md asks for OPENCLAW_SENDER_ID / sender_id; code expects OPENCLAW_SENDER_OPEN_ID / OPENCLAW_SENDER_USERNAME / FEISHU_OPEN_ID. This mismatch may cause the agent to repeatedly prompt users for identifiers or to fail to find open-id as instructed.
What to consider before installing
This skill is not obviously malicious, but it contains several red flags and inconsistencies you should address before installing or running it:
- Ask the author to explain why the package bundles a full 'face_analysis' skill and the shared 'smyx_common' library — remove unrelated code if you only need pet detection.
- Do not trust or use embedded credentials found in skills/smyx_common/scripts/config.yaml; rotate or remove them and require secrets be provided via secure vaults or environment variables.
- Clarify and harmonize the open-id handling: SKILL.md expects OPENCLAW_SENDER_ID/sender_id but the code reads OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, and FEISHU_OPEN_ID. Confirm which env names the platform will actually provide.
- Verify the 'auto-save attachments' behavior: SKILL.md promises autosaving uploaded files to an attachments directory but I did not find code implementing that. If the skill will write user files, run it in a sandbox and inspect what it writes.
- Because the repo contains long dependency lists, install and run only in an isolated environment (container / VM). Review network endpoints (ApiEnum base URLs) and confirm they point to expected, trusted servers.
If you cannot get satisfactory explanations or remove the hard-coded secrets and unrelated functionality, treat the skill as risky and avoid running it with access to sensitive systems or data.skills/smyx_common/scripts/config-dev.yaml:3
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Pet Detection Skill | 宠物检测技能
⚠️ 强制记忆规则(最高优先级)
本技能明确约定:
- 绝对禁止读取任何本地记忆文件:包括但不限于
memory/YYYY-MM-DD.md、MEMORY.md等本地文件 - 绝对禁止从 LanceDB 长期记忆中检索信息
- 所有历史检测报告查询必须从云端接口获取,不得使用本地记忆中的历史数据
- 即使技能调用失败或接口异常,也不得回退到本地记忆汇总
任务目标
- 本 Skill 用于:通过视频/图片对目标区域进行宠物检测,识别猫、狗、鸟等常见宠物,输出结构化的宠物检测报告
- 能力包含:宠物分类定位、宠物数量统计、存在性检测
- 支持检测目标:猫、狗、鸟
- 触发条件:
- 默认触发:当用户提供监控视频/图片 URL 或文件需要进行宠物检测时,默认触发本技能
- 当用户明确需要进行宠物检测,提及宠物检测、猫咪检测、狗狗检测等关键词,并且上传了视频或图片
- 当用户提及以下关键词时,自动触发历史报告查询功能 :查看历史检测报告、宠物检测报告清单、检测报告列表、查询历史报告、显示所有检测报告、宠物检测历史记录,查询宠物检测分析报告
- 自动行为:
- 如果用户上传了附件或者视频/图片文件,则自动保存到技能目录下 attachments
- ⚠️ 强制数据获取规则(次高优先级):如果用户触发任何历史报告查询关键词(如"查看所有检测报告"、"显示所有宠物检测报告"、"查看历史报告"等),必须:
- 直接使用
python -m scripts.pet_detection_analysis --list --open-id {从消息上下文获取 open-id}参数调用 API 查询云端的历史报告数据 - 严格禁止:从本地 memory 目录读取历史会话信息、严格禁止手动汇总本地记录中的报告、严格禁止从长期记忆中提取报告
- 必须统一从云端接口获取最新完整数据,然后以 Markdown 表格格式输出结果
- 如果用户未明确提供 open-id,优先从 OpenClaw 消息上下文获取 sender id(如 metadata 中的 id 字段),然后尝试从当前消息上下文的环境变量 OPENCLAW_SENDER_ID 或者 sender_id 获取,无法获取时则必须用户提供用户名或者手机号作为 open-id
- 直接使用
前置准备
- 依赖说明:scripts 脚本所需的依赖包及版本
requests>=2.28.0
操作步骤
🔒 open-id 获取流程控制(强制执行,防止遗漏)
在执行宠物检测前,必须按以下优先级顺序获取 open-id:
第 1 步:检查用户是否在消息中明确提供了 open-id
↓ (未提供)
第 2 步:从当前消息上下文的环境变量中获取 OPENCLAW_SENDER_ID
↓ (无法获取)
第 3 步:从当前消息上下文的环境变量中获取 sender_id
↓ (无法获取)
第 4 步:从 OpenClaw 消息元数据中获取 id 字段(如 metadata 中的 id/session_id/user_id等)作为 open-id
↓ (无法获取)
第 5 步:❗ 必须暂停执行,明确提示用户提供用户名或手机号作为 open-id
⚠️ 关键约束:
- 禁止自行假设或生成 open-id 值(如 petdetect123 等)
- 禁止跳过 open-id 验证直接调用 API
- 必须在获取到有效 open-id 后才能继续执行分析
- 如果用户拒绝提供 open-id,说明用途(用于保存和查询宠物检测报告记录),并询问是否继续
- 标准流程:
- 准备媒体输入
- 提供监控视频文件路径、网络视频 URL 或现场图片
- 确保监控画面完整覆盖监测区域,画面稳定
- 获取 open-id(强制执行)
- 按上述流程控制获取 open-id
- 如无法获取,必须提示用户提供用户名或手机号
- 执行宠物检测
- 调用
-m scripts.pet_detection_analysis处理素材(必须在技能根目录下运行脚本) - 参数说明:
--input: 本地视频/图片文件路径(使用 multipart/form-data 方式上传)--url: 网络视频/图片 URL 地址(API 服务自动下载)--media-type: 媒体类型,可选值:video/image,默认 video--confidence-threshold: 置信度阈值,低于该分值不输出,默认 0.5--open-id: 当前用户的 OpenID/UserId(必填,按上述流程获取)--list: 显示宠物检测历史分析报告列表清单(可以输入起始日期参数过滤数据范围)--api-key: API 访问密钥(可选)--api-url: API 服务地址(可选,使用默认值)--detail: 输出详细程度(basic/standard/json,默认 json)--output: 结果输出文件路径(可选)
- 调用
- 查看分析结果
- 接收结构化的宠物检测报告
- 包含:检测基本信息、各类宠物数量统计
- 准备媒体输入
资源索引
- 必要脚本:见 scripts/pet_detection_analysis.py(用途:调用 API 进行宠物检测,本地文件使用 multipart/form-data 方式上传,网络 URL 由 API 服务自动下载)
- 配置文件:见 scripts/config.py(用途:配置 API 地址、默认参数和媒体格式限制)
- 领域参考:见 references/api_doc.md(何时读取:需要了解 API 接口详细规范和错误码时)
注意事项
- 仅在需要时读取参考文档,保持上下文简洁
- 支持格式:视频支持 mp4/avi/mov 格式,图片支持 jpg/png/jpeg 格式,最大 100MB
- API 密钥可选,如果通过参数传入则必须确保调用鉴权成功,否则忽略鉴权
- 分析结果仅供家庭宠物监控参考,具体处置请结合实际情况
- 禁止临时生成脚本,只能用技能本身的脚本
- 传入的网络地址参数,不需要下载本地,默认地址都是公网地址,api 服务会自动下载
- 当显示历史检测报告清单的时候,从数据 json 中提取字段 reportImageUrl 作为超链接地址,使用 Markdown 表格格式输出,包含"
报告名称"、"检测时间"、"宠物总数"、"点击查看"四列,其中"报告名称"列使用
宠物检测分析报告-{记录id}形式拼接, "点击查看"列使用[🔗 查看报告](reportImageUrl)格式的超链接,用户点击即可直接跳转到对应的完整报告页面。 - 表格输出示例:
报告名称 检测时间 宠物总数 点击查看 宠物检测分析报告-20260312172200001 2026-03-12 17:22:00 2 🔗 查看报告
使用示例
# 检测本地监控视频(OpenClaw UI 上下文,使用 metadata id 作为 open-id)
python -m scripts.pet_detection_analysis --input /path/to/monitor.mp4 --media-type video --open-id openclaw-control-ui
# 检测现场图片,调整置信度阈值(OpenClaw UI 上下文)
python -m scripts.pet_detection_analysis --input /path/to/room.jpg --media-type image --confidence-threshold 0.6 --open-id openclaw-control-ui
# 检测网络监控视频(OpenClaw UI 上下文,使用 metadata id 作为 open-id)
python -m scripts.pet_detection_analysis --url https://example.com/monitor.mp4 --media-type video --open-id openclaw-control-ui
# 显示历史检测报告/显示检测报告清单列表/显示历史宠物检测报告(自动触发关键词:查看历史检测报告、历史报告、检测报告清单等)
python -m scripts.pet_detection_analysis --list --open-id openclaw-control-ui
# 输出精简报告
python -m scripts.pet_detection_analysis --input video.mp4 --media-type video --open-id your-open-id --detail basic
# 保存结果到文件
python -m scripts.pet_detection_analysis --input video.mp4 --media-type video --open-id your-open-id --output result.json
Files
31 totalSelect a file
Select a file to preview.
Comments
Loading comments…