Skillv1.0.0

ClawScan security

Fish Aquatic Pet Health Diagnosis Analysis Tool | 鱼类水族宠物健康诊断分析工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 2:07 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (calls a remote aquarium-health API for video analysis) but includes inconsistent and disproportionate behaviors — local DB/DAO code, undeclared environment access, and contradictions between the SKILL.md rules and the code — so review before installing.
Guidance: This skill appears to implement the advertised remote aquarium-video analysis, but it also includes a large shared library (smyx_common), a local SQLite DAO, config files, and logic that reads workspace-level config and environment variables that the skill did not declare. Notably SKILL.md forbids reading 'local memory' but the code reads local config and can create/use a local database — that contradiction is important. Before installing or enabling this skill: 1) Ask the publisher to explain why a local DB and the face_analysis module are bundled and to confirm what local files will be read/written. 2) Inspect skills/smyx_common/scripts/config.yaml and config-dev/prod/test to verify API base URLs and any embedded keys. 3) Run the skill in an isolated test environment (or container) to observe what files it writes (attachments, DB). 4) Do not provide sensitive credentials or global environment variables (OPENCLAW_SENDER_OPEN_ID, FEISHU_OPEN_ID, workspace secrets) until you confirm their necessity. 5) If you expect a lightweight client that only forwards video to a trusted remote API, prefer a version without the local DAO and unrelated face-analysis components or require the author to minimize declared access and document exactly what is stored locally.

Review Dimensions

Purpose & Capability: noteThe stated purpose (analyze aquarium pet videos via a server-side API) matches many of the scripts (scripts/aquarium_analysis.py, scripts/api_service.py). However the repo also bundles a separate face_analysis skill and a large 'smyx_common' library (DB/DAO, many utilities). Inclusion of a full local DAO/SQLite layer and a broad dependency list is heavier than expected for a thin client that just calls a remote API. Having a local DB + many unrelated analysis modules is plausible (reused common code), but is more privileged and wider in scope than the simple description implies.
Instruction Scope: concernSKILL.md imposes strict runtime rules (e.g., 'absolute prohibition' on reading local memory/LanceDB and 'all history must come from cloud API') but the codebase includes modules that read local config files and implement a local SQLite DAO which writes/reads under the workspace data directory. The SKILL.md mandates saving uploaded attachments to an attachments folder; that implies writing files. The runtime instructions also require checking local files for open-id in specific config paths. These behaviors contradict the 'do not read local memory' rule and grant the skill file-system access beyond what is explicitly justified.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing is auto-downloaded on install. However the included smyx_common/requirements.txt lists many packages and the repo contains many Python modules that assume those dependencies exist. Installing or running this skill in a real agent may require installing a large dependency set (moderate friction and risk). No external arbitrary download URLs or extract operations were found.
Credentials: concernThe skill declares no required env vars, but the code reads multiple environment values (OPENCLAW_WORKSPACE, OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID) and also expects to read api-key/open-id from local config.yaml files. SKILL.md enforces a multi-step open-id discovery that reads local config paths in the skill and workspace; this grants the skill access to workspace-level config. The skill therefore implicitly needs environment/config access that is not declared, which is disproportionate and inconsistent.
Persistence & Privilege: concernThe code includes a sqlite-based DAO that creates/uses a database under the workspace data directory and utility functions that create config yaml files if missing. The SKILL.md instructs saving uploaded attachments into the skill directory. Although 'always' is false, the skill will persist data locally and can read workspace config files and possibly other skill config paths — a broader persistence/privilege than the simple description implies.