Skillv1.0.0

ClawScan security

Human Pose Recognition Skill | 人体姿态识别技能 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 3:26 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (call a remote posture-analysis API and format results) but contains multiple mismatches and surprises — local config/DB file writes, inconsistent limits, implicit env access, and a large common dependency footprint — that merit review before installation.
Guidance: Key things to check before installing or invoking this skill: - Confirm endpoints and credentials: The skill calls external API endpoints configured under skills/smyx_common/scripts/config.yaml (base-url-open-api/base-url-health). Make sure those URLs are trusted and that you intend to send video (or URLs) to them. API key fields are present but empty in the provided config — do not provide real production credentials until you verify the service. - Clarify open-id handling: The SKILL.md mandates retrieving an open-id from specific config files or user input and forbids generating one. The code also reads environment variables (OPENCLAW_SENDER_OPEN_ID, FEISHU_OPEN_ID) as fallbacks. Decide whether you will provide a real user identifier; avoid using sensitive user IDs or credentials until you trust the backend service. - Watch for local writes: The shared smyx_common utilities will create config YAMLs and can create a local SQLite DB under the workspace data directory. If you need a no-persistence runtime, run the skill in an isolated container or sandbox and verify file-write behavior. - Note mismatches in documentation vs code: SKILL.md says 100MB max video; the code enforces ConstantEnum.MAX_FILE_SIZE_MB which defaults to 10MB. Adjust whichever is authoritative and test with expected file sizes. - Dependency scope: There is no automatic installer, but the included requirements files list many packages. If you install dependencies, be aware of the broad dependency surface and install into a controlled virtual environment. - Confirm attachment behavior: SKILL.md says uploaded attachments will be saved into an attachments folder — search the codebase for explicit save behavior or prefer to supply local file paths yourself. Do not assume automatic attachment handling without verifying. - Run in an isolated environment and review runtime network calls: Because the skill sends video (or video URLs) to remote services, test within a controlled environment (network monitor/proxy) to confirm what is transmitted. If you cannot verify the remote service, avoid sending real personal videos. If you want, I can: - List exact files/functions that create or write local config/DB files - Highlight each place where the code uses environment variables or constructs external URLs - Suggest minimal hardening steps or a safe invocation checklist (sandboxing, dummy open-id, limited test files).

Review Dimensions

Purpose & Capability: noteName/description claim human-pose recognition using a cloud API; the code implements API calls and result formatting and therefore aligns with purpose. However the package also includes a large shared utility layer (skills/smyx_common) that supports a local SQLite DB, config file creation, and many helper features that are broader than a minimal posture-recognition helper. That extra surface is explainable for a productized SDK but is disproportionate to the minimal description.
Instruction Scope: concernSKILL.md imposes strict runtime rules (must not read local 'memory' files, must obtain open-id from specific config files or user input, must fetch historical reports only from cloud API) and says attachments will be automatically saved to an attachments folder. The code, however, reads/writes config files via the shared BaseEnum/YamlUtil (which will create config files if missing) and the shared DAO will create a local SQLite DB under the workspace data path. There are also mismatches between doc and code (doc says 100MB max, code enforces ConstantEnum.MAX_FILE_SIZE_MB which defaults to 10). These inconsistencies mean the agent may read/write files and local DBs despite the documentation's prohibitions; that is a scope concern that should be clarified.
Install Mechanism: noteNo install spec (instruction-only) so nothing is downloaded during install. However the repository includes requirements lists (skills/smyx_common/requirements.txt) that enumerate a very large set of dependencies. If a user or environment attempts to install those, it will pull many third-party packages. The absence of an install script reduces immediate install risk, but the included dependency list is disproportionate to the single-skill description and should be considered if you plan to install dependencies.
Credentials: concernThe skill declares no required env vars but the code reads several environment values (e.g. OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID, OPENCLAW_WORKSPACE) via ConstantEnum.init and Dao.get_db_path. SKILL.md instructs a file-based open-id lookup (skills/smyx_common/scripts/config.yaml and workspace common config) and forbids generating open-id, which is reasonable, but the code also uses env vars as fallbacks. The skill also expects API base URLs and API keys from config.yaml; these are present but API key fields are blank. Requiring neither declared env nor explicit credentials while performing remote API calls and potentially saving user data is a proportionality concern: callers must confirm which credentials/endpoints will be used and be cautious about exposing real user identifiers (open-id).
Persistence & Privilege: concernalways:false (good). Nevertheless, the included common code will create or update config YAML files (YamlUtil.load will write a config file if missing) and Dao may create a local SQLite DB under ${OPENCLAW_WORKSPACE}/data. SKILL.md forbids reading local memory files but does not forbid writing config or DB files; the code will persist files to the workspace. This persistent local footprint is significant and should be acceptable only if you expect local caching and have isolated the environment.