ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Real-time Employee Absence Monitoring Skill | 人员离岗实时监测技能

v1.0.1

Sleep-on-duty monitoring: Conducts 7x24 hour unattended monitoring of designated work positions/key areas through intelligent video analysis, accurately iden...

0· 19·0 current·0 all-time
by生命涌现@raymond758
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose is real-time employee absence monitoring, which reasonably requires a cloud API and a notification channel. However, the package does not declare any required credentials or env vars while the code relies on Feishu app credentials (FEISHU_APP__ID/FEISHU_APP__SECRET/FEISHU_APP__RECEIVE_ID via skills.smyx_common.ConstantEnum), an API token (ApiEnum.OPEN_TOKEN) and reads OPENCLAW_SENDER_OPEN_ID / FEISHU_OPEN_ID environment variables and workspace config files. The repo also bundles a separate 'face_analysis' skill and a large common dependency list — bundling unrelated components and many dependencies without declaring them is disproportionate.
!
Instruction Scope
SKILL.md instructs the agent to read workspace-level config files (skills/smyx_common/scripts/config.yaml and workspace-level skills/smyx_common/scripts/config.yaml) to obtain 'open-id', mandates a strict open-id retrieval priority, and orders the agent to start a background polling daemon automatically when certain user keywords appear ('无需询问用户,直接启动后台轮询服务'). It also enforces strict output formatting and that alerts be sent to Feishu. These instructions reach beyond a simple query/response scope: they read files outside the skill directory, persist local state (pid/logs/data/risks.yaml), and POST data to external endpoints — all without declaring or requesting explicit user consent in the flow.
Install Mechanism
There is no install spec (instruction-only) which reduces immediate installer risk. However the repository contains many Python modules and a large requirements.txt under skills/smyx_common — executing the code as-is would require installing many dependencies (and the SKILL.md recommends installing requests/pyyaml). The lack of an install manifest plus heavy embedded dependencies is a coordination gap and increases the chance a user will run code with unexpected transitive packages.
!
Credentials
The skill declares no required environment variables or primary credential, yet the code uses OPENCLAW_SENDER_OPEN_ID and FEISHU_OPEN_ID env vars, reads Feishu app id/secret and receive_id via skills.smyx_common.ConstantEnum, and expects ApiEnum.OPEN_TOKEN (with a long hard-coded fallback JWT-like token in get_token()). Requesting or using workspace-level API tokens and Feishu credentials is expected for sending notifications, but failing to declare these requirements is a mismatch that risks silent credential use or accidental exfiltration. Reading other skills' config files (workspace-wide path) also breaks proportionality.
!
Persistence & Privilege
The skill does not set always:true, but its runtime instructions and scripts start a background polling daemon, write PID files, logs and local data (data/risks.yaml, data/config.yaml). It also enforces automatic start-on-trigger without explicit user confirmation. While the skill writes only its own files, it reads workspace-level config files and could run autonomously in background — combining background execution with undisclosed credential usage increases operational risk.
Scan Findings in Context
[base64-block] unexpected: A 'base64-block' pattern was detected in SKILL.md (prompt-injection style). This is unexpected for a monitoring skill and could indicate the SKILL.md contains encoded payloads or attempts to manipulate evaluation/runtime. It should be inspected manually; presence does not prove exploitation but is a red flag.
What to consider before installing
Key points before installing or running this skill: - Credentials mismatch: The SKILL.md declares no required credentials, but the code expects Feishu app credentials and an API token (and reads OPENCLAW_SENDER_OPEN_ID / FEISHU_OPEN_ID). Do NOT provide secrets until you verify the publisher and review where those values are used (feishu_sender.py, skills/smyx_common/config). - Inspect workspace config files: The skill explicitly reads workspace-level config paths (skills/smyx_common/scripts/config.yaml). That may expose tokens or settings for other skills. Check those files first and avoid placing secrets in a workspace-shared config. - Background behavior and autonomy: The skill will start a background polling daemon on certain keyword triggers (and SKILL.md says it will do so without asking). If you enable agent autonomy, consider disabling autonomous invocation or run the skill in a sandboxed environment where it cannot make outbound network requests or notify external services. - Network & notification endpoints: The skill sends alerts to Feishu (open.feishu.cn) and calls cloud APIs for risk data and download URLs. Confirm the endpoints and review feishu_sender.py and api_service.get_download_url to ensure no unexpected external endpoints are used. - Hard-coded fallback token: The code contains a long default/fallback token in get_token(). Treat this as suspicious — it may allow API calls without explicit credential configuration. Confirm with the publisher whether that token is legitimate, and prefer removing/rotating it. - Run in isolation first: If you must try the skill, run it on an isolated machine or container, with network egress restricted, and after manually reviewing configuration constants in skills/smyx_common/scripts/config.py and other config files. - Ask for provenance: The skill source and homepage are unknown. Request the publisher identity, purpose justification for reading workspace configs, and a minimal, declared list of required credentials before trusting deployment. - Code review checklist: Inspect scripts/feishu_sender.py (message sending and image upload), scripts/staff_absence_detection_analysis.py (daemonization, config reads/writes) and skills/smyx_common for where credentials/constants originate. Confirm there are no unexpected external POSTs or logging of sensitive data. If you are not comfortable with these issues or cannot vet the publisher, do not enable the skill in production or allow autonomous/background runs.
!
skills/smyx_common/scripts/config-dev.yaml:2
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dtycw938r1eaha8my9zfdxx844hyk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Real-time Employee Absence Monitoring Skill | 人员离岗实时监测技能

任务目标

  • 本 Skill 用于:对指定工作岗位、收银台、服务窗口、保安岗、中控室等关键区域进行7x24 小时实时智能监测 ,自动识别在岗人员是否长时间离开预设工作位置,发生离岗/脱岗事件时立即触发告警通知
  • 核心能力:人员离岗识别、脱岗超时检测、无人值守告警、历史离岗事件查询、实时告警推送
  • 触发条件:当用户明确提及"人员离岗监测"、"岗位值守监测"、"脱岗检测"、"人员不在岗"、"离岗告警"、"值班监测"、"考勤视频监测" 时触发本技能
  • 自动行为:
    1. 后台自动轮询云端离岗接口,默认每 30 秒查询一次
    2. 发现新的离岗事件时,自动发送结构化告警信息到指定飞书账号
    3. 已发送的离岗信息自动标记,避免重复发送
    4. 离岗数据自动持久化存储,支持跨会话查询

前置准备

  • 依赖说明:scripts 脚本所需的依赖包及版本 
    requests>=2.28.0
pyyaml>=6.0
  • 安装方式: 
    # Debian/Ubuntu 系统
sudo apt install -y python3-requests python3-yaml

# 或使用 pip 安装
pip install requests pyyaml --break-system-packages

操作步骤

🔒 open-id 获取流程控制(强制执行,防止遗漏)

在执行离岗分析前,必须按以下优先级顺序获取 open-id:

第 1 步:【最高优先级】检查技能所在目录的配置文件(优先)
        路径:skills/smyx_common/scripts/config.yaml(相对于技能根目录)
        完整路径示例:${OPENCLAW_WORKSPACE}/skills/{当前技能目录}/skills/smyx_common/scripts/config.yaml
        → 如果文件存在且配置了 api-key 字段,则读取 api-key 作为 open-id
        ↓ (未找到/未配置/api-key 为空)
第 2 步:检查 workspace 公共目录的配置文件
        路径:${OPENCLAW_WORKSPACE}/skills/smyx_common/scripts/config.yaml
        → 如果文件存在且配置了 api-key 字段,则读取 api-key 作为 open-id
        ↓ (未找到/未配置)
第 3 步:检查用户是否在消息中明确提供了 open-id
        ↓ (未提供)
第 4 步:❗ 必须暂停执行,明确提示用户提供用户名或手机号作为 open-id

⚠️ 关键约束:

  • 禁止自行假设,自行推导,自行生成 open-id 值(如 openclaw-control-ui、default、userC113、user123 等)
  • 禁止跳过 open-id 验证直接调用 API
  • 必须在获取到有效 open-id 后才能继续执行分析
  • 如果用户拒绝提供 open-id,说明用途(用于保存和查询历史报告记录),并询问是否继续
  • 标准流程:

    1. 自动轮询逻辑

      • 当用户提及「开启离岗监控」「启动跌倒提醒」等关键词时,无需询问用户,直接启动后台轮询服务
      • 当用户提及「停止离岗监控」「关闭告警提醒」等关键词时,停止后台轮询服务
      • 当用户提及「查看离岗列表」「查看离岗告警」「查看告警信息」「查看告警列表」「查看所有告警」「历史告警记录」等关键词时,直接执行查询告警列表脚本

    2. 离岗监控操作

      • 所有脚本必须在技能根目录下运行
      • 启动轮询:调用 -m scripts.staff_absence_detection_analysis start (后台运行,自动轮询云端接口)
      • 停止轮询:调用 -m scripts.staff_absence_detection_analysis stop
      • 查看告警列表:调用 -m scripts.staff_absence_detection_analysis list [--open-id <open-id>] (可以传入--start-time 和--end-time 参数限定接口检索范围,--camera_sn 参数检索指定设备,--user_name 参数检索指定设备)
      • 手动查询最新告警:调用 -m scripts.staff_absence_detection_analysis check
      • 配置飞书接收人:
        • 自动配置(推荐):在飞书会话中直接使用,技能会自动获取当前用户的 open_id 作为告警接收人
        • 手动配置:调用 -m scripts.staff_absence_detection_analysis config --feishu-openid <用户 openid>

    3. 告警通知规范

      • 离岗告警信息使用飞书卡片格式发送,包含:
        • 离岗类型(跌倒/卒中/其他)
        • 发生时间
        • 摄像头位置/设备名称
        • 严重等级
        • 现场截图链接(如有)
        • 处理状态
      • 重复离岗过滤:已发送的离岗 ID 记录在本地,下次轮询时跳过

    4. 结果返回规范 ⚠️ 强制执行

      • 离岗列表必须使用表格格式输出(Markdown 表格、HTML 表格、纯文本表格等均可)
      • 核心列名固定为以下 6 列,禁止 AI 推理、修改列名:
      核心列名对应 API 字段说明
      序号id记录编号,从 1 开始递增
      发生时间createTimeString告警发生时间,格式:YYYY-MM-DD HH:MM:SS
      离岗类型riskName告警类型名称(如:离岗行为、跌倒信号、突发安全异常等)
      设备名称cameraName摄像头/设备名称(如:办公室摄像头、大华摄像头 DF14 等)
      严重等级riskLevel高/中/低,使用 emoji 标识(🔴高/🟡中/🟢低)
      离岗描述riskDesc告警详细描述,超过 50 字可截断
      操作tosUrl⚠️ 必须包含,固定为 [🔗 查看证据](tosUrl) 超链接格式

      • ⚠️ 核心列名规则:

        • 必须包含:上述 6 个核心列名 + 操作列(共 7 列)
        • 禁止 AI 推理变更核心列名(如将"发生时间"改为"检测时间"、"离岗类型"改为"告警类型"等)
        • 允许增删列(如添加"处理状态"、"备注"、"处理人"、"视频时长"等自定义列)
        • 允许调整列顺序(核心列顺序可调整,但建议保持逻辑顺序)
        • 允许使用非标准表格格式(Markdown 表格、HTML 表格、纯文本表格、JSON 等)

      • 操作列规范:

        • ⚠️ 操作列必须存在,不可省略
        • 操作列固定为 [🔗 查看证据](tosUrl) 超链接格式
        • 链接地址为对应离岗事件的 tosUrl 字段值
        • 不对 URL 中的特殊字符做任何转义处理,保证链接原始可用性

      • 告警通知规范:

        • 告警通知采用醒目的格式,重要信息高亮显示
        • 包含:离岗类型、发生时间、设备名称、严重等级、现场截图链接、处理建议

      • 错误处理:

        • 明确提示接口异常、网络故障等问题
        • 错误信息需包含:错误类型、可能原因、建议解决方案

资源索引

  • 必要脚本:见 [-m scripts.staff_absence_detection_analysis](-m scripts.staff_absence_detection_analysis) (用途:离岗轮询、告警发送、数据存储、配置管理)
  • 数据存储:见 data/risks.yaml(用途:存储历史离岗告警记录和已发送标记)
  • 配置文件:见 data/config.yaml(用途:存储轮询间隔、飞书配置、API 地址等参数)
  • 领域参考:见 references/api_doc.md(何时读取:需要了解离岗 API 接口规范、飞书消息格式时)

注意事项

  • 轮询间隔默认 60 秒,可通过配置文件调整,不建议低于 10 秒避免 API 限流
  • 离岗 ID 采用全局唯一标识,确保不会重复发送相同告警
  • 飞书用户 OpenID 可通过飞书开放平台或用户信息接口获取
  • 离岗数据本地加密存储,包含敏感信息的截图链接不会明文存储
  • 告警通知可配置多个接收人,支持群组和个人
  • 后台服务意外退出时会自动记录日志,重启后自动恢复轮询
  • 分析结果仅供参考,不能替代专业医疗急救系统

使用示例

# 启动离岗监控轮询
python -m scripts.staff_absence_detection_analysis start

# 停止离岗监控
python -m scripts.staff_absence_detection_analysis stop

# 查看所有历史离岗告警记录/历史离岗告警记录
python -m scripts.staff_absence_detection_analysis list --open-id openclaw-control-ui

# 查看昨天历史离岗告警记录,可以添加--start-time 参数 (日期格式必须转化为"年 - 月 - 日 时:分:秒")
python -m scripts.staff_absence_detection_analysis list --start-time "2026-03-13" --open-id openclaw-control-ui 

# 查看某时间段范围的历史离岗告警记录,可以添加--start-time 参数和--end-time 参数
python -m scripts.staff_absence_detection_analysis list --start-time "2026-03-1 00:00:00" --end-time "2026-03-1 13:30:00" --open-id openclaw-control-ui

# 查看某个设备的历史离岗告警数据
python -m scripts.staff_absence_detection_analysis list --camera_sn "BH0F994PHA61BD9" --open-id openclaw-control-ui

# 手动查询最新离岗
python -m scripts.staff_absence_detection_analysis check

# 配置飞书接收人
python -m scripts.staff_absence_detection_analysis config --feishu-openid "ou_1234567890abcdef1234567890abcdef"

# 配置轮询间隔为 60 秒
python -m scripts.staff_absence_detection_analysis config --interval 60

输出格式示例

离岗列表表格示例

示例 1:标准 Markdown 表格(推荐)

序号发生时间离岗类型设备名称严重等级离岗描述操作
12026-03-26 19:46:12突发安全/健康异常探鸽摄像头 X678(办公室)🔴 高一名身穿白色上衣的人员突然倒地🔗 查看证据
22026-03-26 19:42:12人员离岗行为探鸽摄像头 X678(办公室)🟢 低一名身穿深色衣物的人员从工位区域离开🔗 查看证据

示例 2:带自定义列的表格(允许)

序号发生时间离岗类型设备名称严重等级离岗描述处理状态操作
12026-03-26 19:46:12突发安全/健康异常探鸽摄像头 X678(办公室)🔴 高人员突然倒地待处理🔗 查看证据

示例 3:调整列顺序(允许)

设备名称发生时间离岗类型严重等级序号离岗描述操作
探鸽摄像头 X678(办公室)2026-03-26 19:46:12突发安全/健康异常🔴 高1人员突然倒地🔗 查看证据

⚠️ 列名规则说明:

  • 核心列名禁止变更:序号、发生时间、离岗类型、设备名称、严重等级、离岗描述、操作(7 列必须存在)
  • 允许增删自定义列:如"处理状态"、"备注"、"处理人"、"视频时长"等
  • 允许调整列顺序:核心列顺序可根据需要调整
  • 允许使用非标准表格格式:Markdown、HTML、纯文本、JSON 等均可
  • ⚠️ 操作列必须存在:不可省略,固定为 [🔗 查看证据](tosUrl) 格式

飞书告警通知示例

⚠️ 【离岗告警】脱岗告警检测

  • 检测时间:2026-03-13 14:30:00
  • 检测设备:办公室摄像头(ID: CAM001)
  • 离岗类型:脱岗
  • 严重等级:高
  • 现场截图:点击查看
  • 建议:立即查看现场情况,必要时拨打急救电话

Files

33 total
Select a file
Select a file to preview.

Comments

Loading comments…