婴儿智能安全看护技能
PendingVirusTotal audit pending.
Overview
No VirusTotal analysis has been recorded yet. File reputation checks will appear here once the artifact hash has been scanned.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could read a local/shared API key or similar secret and use or transmit it as an open-id for saving or querying reports.
The skill tells the agent to read a shared workspace config field named api-key and reuse it as the user identity value. That is credential-like local configuration access and is not clearly necessary for infant video analysis.
路径:${OPENCLAW_WORKSPACE}/skills/smyx_common/scripts/config.yaml
→ 如果文件存在且配置了 api-key 字段,则读取 api-key 作为 open-idDo not allow the skill to use api-key values as open-id. Require an explicit, non-secret user identifier and declare any required config paths or credentials.
Infant videos or image/video URLs may leave the local environment and be processed by the provider’s cloud service.
The skill discloses that local infant videos are uploaded to an API service, or that the service downloads supplied video URLs. This is expected for cloud visual analysis but crosses a sensitive data boundary.
本地文件使用 multipart/form-data 方式上传,网络 URL 由 API 服务自动下载
Use only with videos you are comfortable sending to the provider, verify the endpoint, and ask the publisher about retention, access controls, and deletion.
Copies of sensitive baby videos/images may remain on disk after analysis.
The instructions say uploaded infant media is automatically saved locally under an attachments directory. This is scoped, but the artifacts do not describe retention or cleanup.
如果用户上传了附件或者视频/图片文件,则自动保存到技能目录下 attachments
Review and delete saved attachments after use, and avoid uploading unnecessary or identifying media.
A misconfigured environment could route videos or report requests to a non-production HTTP endpoint.
A packaged dev configuration references an HTTP private-IP endpoint. The active config is prod, but if the environment were switched to dev, sensitive analysis traffic could be sent to an untrusted local address.
base-url-open-api: "http://192.168.1.234:9601/smyx-open-api"
Remove dev configs from distributed packages or ensure users cannot accidentally enable them; use only HTTPS production endpoints.