ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Regional Humanoid Detection Skill | 区域人形检测技能

Automatically detects personnel in target areas based on computer vision. Supports real-time video stream detection and is suitable for monitoring personnel...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 7 · 0 current installs · 0 all-time installs
by生命涌现@raymond758
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The stated purpose is region/person detection. The code does call remote analysis APIs and provides CLI scripts to upload local video or point at URLs, which fits. However the repo also contains large face-analysis and 'pet/health' related components and many generic common modules that appear reused (face_analysis, pet/health references, many scene codes). That reuse is not explained by the SKILL.md and increases the attack surface and likelihood of unexpected behavior.
!
Instruction Scope
SKILL.md mandates saving uploaded attachments to the skill directory and requires fetching historical reports from a cloud API (via scripts). It forbids reading local memory files, but the code reads environment variables (e.g., OPENCLAW_SENDER_OPEN_ID and other sender IDs) and relies on configuration files. The skill's instructions implicitly cause user video data to be transmitted to external API endpoints (the scripts POST files or provide video URLs for remote download). The instructions reference environment variables and message metadata not declared in requires.env.
Install Mechanism
No install spec — instruction-only operation with bundled Python scripts. That lowers installer risk (no arbitrary downloads), but the package includes large dependency lists (requirements.txt) and many Python modules which, if installed manually, expand the runtime attack surface. There is no automatic installer, so risk comes from executing the included scripts.
!
Credentials
The registry metadata declares no required environment variables, yet the code and SKILL.md rely on multiple environment/context values for open-id (OPENCLAW_SENDER_ID, OPENCLAW_SENDER_OPEN_ID, sender_id, message metadata). More importantly, a production config file embedded in the repo contains host URLs and a Feishu secret (feishu-app--secret) and other service config values — hardcoded credentials/configs are present in the package. The skill will send video data to external endpoints (e.g., lifeemergence.com / open API paths) which is not made explicit in the metadata or permission declarations.
Persistence & Privilege
always: false (normal). The skill writes uploaded attachments into its attachments directory and may save outputs to disk when asked. It does not declare privileges to modify other skills or global config. Persisting user-uploaded videos locally and sending them to remote APIs are expected behaviors but are significant privacy implications the user should consider.
What to consider before installing
This skill will upload or cause your videos to be sent to external API endpoints (the code references lifeemergence.com and other service URLs) and the repository includes embedded configuration values (including a Feishu app secret) and multiple unrelated modules (face-analysis, pet/health) that were likely copied in. Before installing or running: (1) Do not upload sensitive video until you confirm where data goes and how it's stored/retained/encrypted; ask the author for the exact API host, data retention, and privacy policy. (2) Remove or rotate any hard-coded secrets and do not rely on the repo's config.yaml values; treat embedded credentials as leaked. (3) Verify which environment or metadata fields the skill will read (OPENCLAW_SENDER_ID / OPENCLAW_SENDER_OPEN_ID / sender_id) and whether your platform exposes any sensitive data via those fields. (4) Run the skill in a sandboxed environment and monitor outbound network requests to confirm endpoints and payloads. (5) Consider asking the maintainer to explain why face-analysis/pet/health files are included and to provide a minimized package containing only the human-detection logic plus an explicit list of required env vars and endpoints. If you cannot verify these points, avoid using this skill with real or sensitive video data.
!
skills/smyx_common/scripts/config-dev.yaml:3
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97d9ph3nj4t8ta15523z9cc1h841dcm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Regional Humanoid Detection Skill | 区域人形检测技能

⚠️ 强制记忆规则(最高优先级)

本技能明确约定:

  • 绝对禁止读取任何本地记忆文件:包括但不限于 memory/YYYY-MM-DD.mdMEMORY.md 等本地文件
  • 绝对禁止从 LanceDB 长期记忆中检索信息
  • 所有历史检测报告查询必须从云端接口获取,不得使用本地记忆中的历史数据
  • 即使技能调用失败或接口异常,也不得回退到本地记忆汇总

任务目标

  • 本 Skill 用于:通过视频流/视频文件对目标区域进行人形检测,获取结构化的人形检测分析报告
  • 能力包含:人员存在检测、人员数量统计、出现频次统计、入侵预警
  • 触发条件:
    1. 默认触发:当用户提供监控视频 URL 或文件需要进行人形检测时,默认触发本技能
    2. 当用户明确需要进行人形检测、人员入侵检测、区域人数统计时,提及人形检测、人员检测、入侵检测、区域人员统计等关键词,并且上传了视频文件
    3. 当用户提及以下关键词时,自动触发历史报告查询功能 :查看历史检测报告、人形检测报告清单、检测报告列表、查询历史报告、显示所有检测报告、人形检测历史记录,查询人形检测分析报告
  • 自动行为:
    1. 如果用户上传了附件或者视频文件,则自动保存到技能目录下 attachments
    2. ⚠️ 强制数据获取规则(次高优先级):如果用户触发任何历史报告查询关键词(如"查看所有检测报告"、"显示所有人形检测报告"、"查看历史报告"等),必须
      • 直接使用 python -m scripts.human_detection_analysis --list --open-id {从消息上下文获取 open-id} 参数调用 API 查询云端的历史报告数据
      • 严格禁止:从本地 memory 目录读取历史会话信息、严格禁止手动汇总本地记录中的报告、严格禁止从长期记忆中提取报告
      • 必须统一从云端接口获取最新完整数据,然后以 Markdown 表格格式输出结果
      • 如果用户未明确提供 open-id,优先从 OpenClaw 消息上下文获取 sender id(如 metadata 中的 id 字段),然后尝试从当前消息上下文的环境变量 OPENCLAW_SENDER_ID 或者 sender_id 获取,无法获取时则必须用户提供用户名或者手机号作为 open-id

前置准备

  • 依赖说明:scripts 脚本所需的依赖包及版本 
    requests>=2.28.0

操作步骤

🔒 open-id 获取流程控制(强制执行,防止遗漏)

在执行人形检测分析前,必须按以下优先级顺序获取 open-id:

第 1 步:检查用户是否在消息中明确提供了 open-id
        ↓ (未提供)
第 2 步:从当前消息上下文的环境变量中获取 OPENCLAW_SENDER_ID
        ↓ (无法获取)
第 3 步:从当前消息上下文的环境变量中获取 sender_id
        ↓ (无法获取)
第 4 步:从 OpenClaw 消息元数据中获取 id 字段(如 metadata 中的 id/session_id/user_id等)作为 open-id
        ↓ (无法获取)
第 5 步:❗ 必须暂停执行,明确提示用户提供用户名或手机号作为 open-id

⚠️ 关键约束:

  • 禁止自行假设或生成 open-id 值(如 human123 等)
  • 禁止跳过 open-id 验证直接调用 API
  • 必须在获取到有效 open-id 后才能继续执行分析
  • 如果用户拒绝提供 open-id,说明用途(用于保存和查询人形检测报告记录),并询问是否继续
  • 标准流程:
    1. 准备视频输入
      • 提供监控视频文件路径或网络视频 URL
      • 确保视频完整覆盖监测区域,画面稳定
    2. 获取 open-id(强制执行)
      • 按上述流程控制获取 open-id
      • 如无法获取,必须提示用户提供用户名或手机号
    3. 执行人形检测分析
      • 调用 -m scripts.human_detection_analysis 处理视频文件(必须在技能根目录下运行脚本
      • 参数说明:
        • --input: 本地视频文件路径(使用 multipart/form-data 方式上传)
        • --url: 网络视频 URL 地址(API 服务自动下载)
        • --open-id: 当前用户的 OpenID/UserId(必填,按上述流程获取)
        • --detection-region: 检测区域坐标,格式:x1,y1,x2,y2(可选,限定特定检测区域)
        • --list: 显示人形检测历史分析报告列表清单(可以输入起始日期参数过滤数据范围)
        • --api-key: API 访问密钥(可选)
        • --api-url: API 服务地址(可选,使用默认值)
        • --detail: 输出详细程度(basic/standard/json,默认 json)
        • --output: 结果输出文件路径(可选)
    4. 查看分析结果
      • 接收结构化的人形检测分析报告
      • 包含:监测基本信息、人员检测结果、人员数量统计、出现频次、入侵预警提示

资源索引

  • 必要脚本:见 scripts/human_detection_analysis.py(用途:调用 API 进行人形检测分析,本地文件使用 multipart/form-data 方式上传,网络 URL 由 API 服务自动下载)
  • 配置文件:见 scripts/config.py(用途:配置 API 地址、默认参数和视频格式限制)
  • 领域参考:见 references/api_doc.md(何时读取:需要了解 API 接口详细规范和错误码时)

注意事项

  • 仅在需要时读取参考文档,保持上下文简洁
  • 视频要求:支持 mp4/avi/mov 格式,最大 100MB
  • 适用于固定摄像头监控场景,检测准确率更高
  • API 密钥可选,如果通过参数传入则必须确保调用鉴权成功,否则忽略鉴权
  • 分析结果仅供安全管理参考,具体处置请按单位相关规定执行
  • 禁止临时生成脚本,只能用技能本身的脚本
  • 传入的网络地址参数,不需要下载本地,默认地址都是公网地址,api 服务会自动下载
  • 当显示历史检测报告清单的时候,从数据 json 中提取字段 reportImageUrl 作为超链接地址,使用 Markdown 表格格式输出,包含" 报告名称"、"检测时间"、"检测结果"、"点击查看"四列,其中"报告名称"列使用人形检测分析报告-{记录id}形式拼接, "点击查看"列使用 [🔗 查看报告](reportImageUrl) 格式的超链接,用户点击即可直接跳转到对应的完整报告页面。
  • 表格输出示例:
    报告名称检测时间检测结果点击查看
    人形检测分析报告-202603121722000012026-03-12 17:22:00检测到2人🔗 查看报告

使用示例

# 检测本地监控视频(OpenClaw UI 上下文,使用 metadata id 作为 open-id)
python -m scripts.human_detection_analysis --input /path/to/monitor.mp4 --open-id openclaw-control-ui

# 检测网络监控视频(OpenClaw UI 上下文,使用 metadata id 作为 open-id)
python -m scripts.human_detection_analysis --url https://example.com/monitor.mp4 --open-id openclaw-control-ui

# 指定检测区域进行检测(OpenClaw UI 上下文)
python -m scripts.human_detection_analysis --input /path/to/monitor.mp4 --detection-region 100,100,500,500 --open-id openclaw-control-ui

# 显示历史检测报告/显示检测报告清单列表/显示历史人形检测报告(自动触发关键词:查看历史检测报告、历史报告、检测报告清单等)
python -m scripts.human_detection_analysis --list --open-id openclaw-control-ui

# 输出精简报告
python -m scripts.human_detection_analysis --input video.mp4 --open-id your-open-id --detail basic

# 保存结果到文件
python -m scripts.human_detection_analysis --input video.mp4 --open-id your-open-id --output result.json

Files

31 total
Select a file
Select a file to preview.

Comments

Loading comments…