ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Workplace Phone Usage Smart Monitoring Skill | 职场玩手机智能监测技能

v1.0.0

Based on computer vision, automatically detects employees playing with phones during work hours, supports real-time video stream and image detection, counts...

0· 7·0 current·0 all-time
by生命涌现@raymond758
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code and scripts implement computer-vision based phone-usage monitoring as described (video/image analysis, reporting, history listing). The file structure (phone_usage_monitoring_analysis.py, face_analysis skill, common API/service layers) is coherent with the stated purpose.
!
Instruction Scope
SKILL.md forces specific runtime behaviors: automatic saving of uploaded attachments to the skill directory, mandatory open-id resolution from environment/metadata, and strict prohibition on reading local memory. The instructions require calling local scripts that then call cloud APIs. The enforced prohibition on local memory is unusual and could be an attempt to avoid local auditing; instructions also direct retrieving open-id from environment variables that are not declared in the registry metadata.
Install Mechanism
No install spec is provided (instruction-only), which reduces installation risk. However, multiple requirements.txt files list many dependencies (large dependency surface). Those dependencies are not declared in the registry metadata and would need installation to run the scripts fully.
!
Credentials
Registry metadata claims no required environment variables or credentials, but code and SKILL.md expect and read OpenClaw-related env vars (OPENCLAW_SENDER_ID, OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID, etc.). Additionally, repository config files include hard-coded service endpoints and at least one app secret (feishu-app--secret) and internal/base URLs in skills/smyx_common/scripts/config.yaml; embedding such credentials/endpoints in the skill is disproportionate and risky.
!
Persistence & Privilege
The skill auto-saves user-uploaded attachments into an attachments directory and writes output files when requested. It is not globally 'always' installed, but the saving behavior and presence of configuration files with embedded secrets increases persistence and the risk of exposing sensitive media or credentials on disk. The SKILL.md also mandates the skill must fetch history from cloud APIs (not local memory), concentrating data flow to external endpoints.
Scan Findings in Context
[hardcoded-credentials-in-config] unexpected: skills/smyx_common/scripts/config.yaml contains values including a feishu-app--secret and base URLs. A monitoring skill can reasonably require an API key, but the registry metadata declared no required credentials and embedding secrets in repo config is unexpected and risky.
[reads-environment-variables] unexpected: Code (ConstantEnum.init and SKILL.md) reads OPENCLAW_* and FEISHU_* environment variables and expects open-id from message metadata. The registry states no required env vars, creating a mismatch that can lead to surprise access to environment information.
[external-api-calls] expected: The skill calls remote analysis APIs (ApiService layers, analysis endpoints). External network calls are expected for a cloud-based CV analysis service, but combined with hard-coded endpoints and embedded secrets this increases the attack/exfiltration surface and requires trust in the remote servers.
What to consider before installing
This skill implements the advertised phone-usage monitoring but has several red flags you should resolve before installing: 1) The registry says no credentials are required, yet the code reads OpenClaw/Feishu environment variables and repository config files include a feishu app secret and service base URLs — ask the author why credentials are embedded and what must be set in your environment. 2) SKILL.md forces auto-saving uploaded attachments into the skill directory and forbids reading local memory — review where attachments will be stored and whether that complies with your privacy and retention policies. 3) Confirm the remote endpoints (lifeemergence.com and other base URLs found in config files) are trustworthy; the skill will send video/images to those servers. 4) If you decide to proceed, run the skill in an isolated environment (container or VM), remove or rotate any embedded secrets in config files, and require explicit employee consent and legal review for workplace monitoring. 5) Ask the publisher for a clear list of required environment variables, a privacy dataflow diagram, and proof that embedded credentials are not leaked or stale. If the author cannot explain these inconsistencies, do not install in production.
!
skills/smyx_common/scripts/config-dev.yaml:3
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk9736sjgbvt1rs5dm3zwv15xdx843zbg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Workplace Phone Usage Smart Monitoring Skill | 职场玩手机智能监测技能

⚠️ 强制记忆规则(最高优先级)

本技能明确约定:

  • 绝对禁止读取任何本地记忆文件:包括但不限于 memory/YYYY-MM-DD.mdMEMORY.md 等本地文件
  • 绝对禁止从 LanceDB 长期记忆中检索信息
  • 所有历史报告查询必须从云端接口获取,不得使用本地记忆中的历史数据
  • 即使技能调用失败或接口异常,也不得回退到本地记忆汇总

任务目标

  • 本 Skill 用于:通过办公区域监控视频/图片进行职场玩手机行为智能分析,自动识别工作时间员工玩手机行为,生成办公效率监测报告
  • 能力包含:视频/图片分析、手机物体检测、玩手机行为识别、时长统计、频次分析、违规行为预警、办公效率建议生成
  • 触发条件:
    1. 默认触发:当用户提供监控视频/图片 URL 或文件需要检测玩手机行为时,默认触发本技能进行办公行为监测分析
    2. 当用户明确需要进行办公监测、玩手机检测、员工行为管理,提及玩手机监测、办公效率、员工行为监控、在岗状态检测等关键词,并且上传了视频文件或者图片文件
    3. 当用户提及以下关键词时,自动触发历史报告查询功能 :查看历史监测报告、历史效率报告、玩手机监测报告清单、查询历史报告、查看监测报告列表、显示所有监测报告、显示玩手机分析报告,查询办公行为监测报告
  • 自动行为:
    1. 如果用户上传了附件或者视频/图片文件,则自动保存到技能目录下 attachments
    2. ⚠️ 强制数据获取规则(次高优先级):如果用户触发任何历史报告查询关键词(如"查看所有监测报告"、"显示所有效率报告"、"查看历史报告"等),必须
      • 直接使用 python -m scripts.phone_usage_monitoring_analysis --list --open-id {从消息上下文获取 open-id} 参数调用 API 查询云端的历史报告数据
      • 严格禁止:从本地 memory 目录读取历史会话信息、严格禁止手动汇总本地记录中的报告、严格禁止从长期记忆中提取报告
      • 必须统一从云端接口获取最新完整数据,然后以 Markdown 表格格式输出结果
      • 如果用户未明确提供 open-id,优先从 OpenClaw 消息上下文获取 sender id(如 metadata 中的 id 字段),然后尝试从当前消息上下文的环境变量 OPENCLAW_SENDER_ID 或者 sender_id 获取,无法获取时则必须用户提供用户名或者手机号作为 open-id

前置准备

  • 依赖说明:scripts 脚本所需的依赖包及版本 
    requests>=2.28.0

操作步骤

🔒 open-id 获取流程控制(强制执行,防止遗漏)

在执行玩手机行为监测分析前,必须按以下优先级顺序获取 open-id:

第 1 步:检查用户是否在消息中明确提供了 open-id
        ↓ (未提供)
第 2 步:从当前消息上下文的环境变量中获取 OPENCLAW_SENDER_ID
        ↓ (无法获取)
第 3 步:从当前消息上下文的环境变量中获取 sender_id
        ↓ (无法获取)
第 4 步:从 OpenClaw 消息元数据中获取 id 字段(如 metadata 中的 id/session_id/user_id等)作为 open-id
        ↓ (无法获取)
第 5 步:❗ 必须暂停执行,明确提示用户提供用户名或手机号作为 open-id

⚠️ 关键约束:

  • 禁止自行假设或生成 open-id 值(如 office123、monitor456 等)
  • 禁止跳过 open-id 验证直接调用 API
  • 必须在获取到有效 open-id 后才能继续执行分析
  • 如果用户拒绝提供 open-id,说明用途(用于保存和查询监测报告记录),并询问是否继续
  • 标准流程:
    1. 准备视频/图片输入
      • 提供本地视频/图片文件路径或网络媒体 URL
      • 确保监控画面清晰覆盖办公工位区域,光线充足
    2. 获取 open-id(强制执行)
      • 按上述流程控制获取 open-id
      • 如无法获取,必须提示用户提供用户名或手机号
    3. 执行玩手机行为监测分析
      • 调用 -m scripts.phone_usage_monitoring_analysis 处理文件(必须在技能根目录下运行脚本
      • 参数说明:
        • --input: 本地视频/图片文件路径(使用 multipart/form-data 方式上传)
        • --url: 网络媒体 URL 地址(API 服务自动下载)
        • --detection-type: 检测类型,可选值:video(视频流检测)/image(图片检测),默认 video
        • --work-area: 工作区域类型,可选值:open-office(开放办公)/cubicle(独立工位)/meeting-room(会议室)/other,默认 other
        • --open-id: 当前用户/企业的 OpenID/UserId(必填,按上述流程获取)
        • --list: 显示历史玩手机监测分析报告列表清单(可以输入起始日期参数过滤数据范围)
        • --api-key: API 访问密钥(可选)
        • --api-url: API 服务地址(可选,使用默认值)
        • --detail: 输出详细程度(basic/standard/json,默认 json)
        • --output: 结果输出文件路径(可选)
    4. 查看分析结果
      • 接收结构化的办公效率监测报告
      • 包含:监测区域信息、检测统计结果、玩手机行为识别数据、时长频次统计、违规行为预警、效率提升建议

资源索引

  • 必要脚本:见 scripts/phone_usage_monitoring_analysis.py(用途:调用 API 进行玩手机行为分析,本地文件使用 multipart/form-data 方式上传,网络 URL 由 API 服务自动下载)
  • 配置文件:见 scripts/config.py(用途:配置 API 地址、默认参数和媒体格式限制,场景码已设置为 PHONE_USAGE_MONITORING_ANALYSIS)
  • 领域参考:见 references/api_doc.md(何时读取:需要了解 API 接口详细规范和错误码时)

注意事项

  • 仅在需要时读取参考文档,保持上下文简洁
  • 格式支持:视频支持 mp4/avi/mov 格式,图片支持 jpg/png/jpeg 格式,最大 100MB
  • API 密钥可选,如果通过参数传入则必须确保调用鉴权成功,否则忽略鉴权
  • 分析结果仅供企业内部管理参考,请注意保护员工个人隐私,遵守相关法律法规
  • 禁止临时生成脚本,只能用技能本身的脚本
  • 传入的网路地址参数,不需要下载本地,默认地址都是公网地址,api 服务会自动下载
  • 当显示历史分析报告清单的时候,从数据 json 中提取字段 reportImageUrl 作为超链接地址,使用 Markdown 表格格式输出,包含" 报告名称"、"检测类型"、"分析时间"、"点击查看"四列,其中"报告名称"列使用玩手机行为监测报告-{记录id}形式拼接, "点击查看"列使用 [🔗 查看报告](reportImageUrl) 格式的超链接,用户点击即可直接跳转到对应的完整报告页面。
  • 表格输出示例:
    报告名称检测类型分析时间点击查看
    玩手机行为监测报告 -20260312172200001视频检测2026-03-12 17:22:00🔗 查看报告

使用示例

# 分析开放办公区视频(OpenClaw UI 上下文,使用 metadata id 作为 open-id)
python -m scripts.phone_usage_monitoring_analysis --input /path/to/office_video.mp4 --detection-type video --work-area open-office --open-id openclaw-control-ui

# 分析工位监控图片(OpenClaw UI 上下文,使用 metadata id 作为 open-id)
python -m scripts.phone_usage_monitoring_analysis --input /path/to/office_image.jpg --detection-type image --work-area cubicle --open-id openclaw-control-ui

# 分析网络视频流(OpenClaw UI 上下文,使用 metadata id 作为 open-id)
python -m scripts.phone_usage_monitoring_analysis --url https://example.com/office_monitor.mp4 --detection-type video --work-area meeting-room --open-id openclaw-control-ui

# 显示历史分析报告/显示分析报告清单列表/显示历史监测报告(自动触发关键词:查看历史监测报告、历史报告、监测报告清单等)
python -m scripts.phone_usage_monitoring_analysis --list --open-id openclaw-control-ui

# 输出精简报告
python -m scripts.phone_usage_monitoring_analysis --input monitor.mp4 --detection-type video --open-id your-open-id --detail basic

# 保存结果到文件
python -m scripts.phone_usage_monitoring_analysis --input image.jpg --detection-type image --open-id your-open-id --output result.json

Files

29 total
Select a file
Select a file to preview.

Comments

Loading comments…