诈骗电话识别分析工具
ReviewAudited by ClawScan on May 13, 2026.
Overview
The skill mostly matches its fraud-call analysis purpose, but it handles sensitive call content and cloud report history using a phone/username-style open-id with unclear authentication boundaries.
Review this before installing if your calls are private. Confirm who operates the remote API, what open-id will be used, how historical reports are authorized, and how uploaded recordings are retained or deleted.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A phone number or username may be tied to sensitive call-analysis reports and report links; if the wrong or guessable open-id is used, reports could be misattributed or exposed through the provider service.
The skill uses a username/phone-style open-id to save and query historical fraud-analysis reports, while describing API-key authentication as optional.
必须暂停执行,明确提示用户提供用户名或手机号作为 open-id ... --list: 显示历史诈骗识别分析报告列表清单 ... API 密钥可选
Only use this with a provider you trust, avoid using another person's identifier, and prefer a dedicated non-sensitive account identifier. The publisher should require and document scoped authentication for report history access.
Users may believe report access is protected by an API key or explicitly scoped open-id, but the visible wrapper does not make that boundary clear.
The wrapper accepts api_key and open_id parameters, but the shown functions do not directly use api_key and do not pass open_id into the list call; authorization/scoping appears to depend on global/common behavior not clearly shown here.
def analyze_call(input_path=None, url=None, text=None, api_url=None, api_key=None, output_level=None):
input_path = input_path or url or text
return skill.get_output_analysis(input_path)
def show_analyze_list(open_id, start_time=None, end_time=None):
output_content = skill.get_output_analysis_list()Require explicit authenticated credentials for report queries, pass the user identity and API key through clearly, and document exactly how report access is authorized.
Private call recordings, call URLs, or transcripts may leave the local environment for provider-side analysis.
The skill is designed to upload user-selected call recordings or text to a remote analysis API; this is purpose-aligned but sensitive.
`--input`: 本地音频文件路径(使用 multipart/form-data 方式上传) ... `--url`: 网络音频 URL 地址(API 服务自动下载) ... `--text`: 通话文字内容
Use only with call content you are comfortable sending to the provider, and avoid uploading highly sensitive recordings unless the provider's privacy terms are acceptable.
Sensitive call recordings may persist locally after analysis.
The instructions say uploaded attachments/audio are automatically stored locally under the skill directory, but retention and cleanup are not described.
如果用户上传了附件或者音频文件,则自动保存到技能目录下 attachments
Check and delete the attachments directory after use if recordings are sensitive; the publisher should document retention and cleanup behavior.
If the environment were switched to dev, requests could be sent to a private or unexpected endpoint.
A bundled development configuration points to a private raw-IP endpoint. The default config appears to use prod, so this is not clearly active by default, but it is a provenance/configuration risk to notice.
base-url-open-api: "http://192.168.1.234:9601/smyx-open-api"
Do not enable dev configuration unless you control that endpoint; the publisher should remove private dev endpoints from released packages.