植物生长阶段识别技能
ReviewAudited by ClawScan on May 10, 2026.
Overview
The plant-analysis workflow is mostly coherent, but it uses a local API-key/phone-style identifier to access cloud-stored reports without a clear credential or privacy boundary.
Install only if you are comfortable sending plant media and an open-id/username/phone to the external cloud service. Do not put real secrets in the api-key field if it may be reused as open-id, and verify who can access historical report links before using it with sensitive farm or business data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A secret-like value, username, or phone number could be used as the account identifier for cloud report storage and retrieval.
The skill treats a credential-like config field or personal identifier as the required identity for analysis and history queries, while the registry declares no credential or required config path.
如果文件存在且配置了 api-key 字段,则读取 api-key 作为 open-id ... 必须暂停执行,明确提示用户提供用户名或手机号作为 open-id
Use a dedicated non-secret user ID, declare the required identifier/config in metadata, and require explicit user confirmation before querying stored reports.
Plant images or videos you provide may be uploaded to the provider’s cloud service for processing.
The inherited workflow reads the user-selected media file and uploads it to the analysis API. This is expected for computer-vision analysis, but it means local media leaves the device.
with open(input_path, 'rb') as f: file_content = f.read() ... files = {'file': ...} ... response = self.analysis(params=params, files=files)Only analyze files you are comfortable sending to the service, and avoid using sensitive or private media unless you trust the provider.
If the environment were switched to dev, data could be sent to a private LAN HTTP endpoint instead of the production service.
A development config includes a private raw-IP HTTP endpoint. The default config selects prod, so this is not active by default, but it is unexpected in a distributed skill.
base-url-open-api: "http://192.168.1.234:9601/smyx-open-api"
Remove dev endpoints from published packages or clearly gate them so users cannot accidentally route data to them.
Past analysis report links may appear in chat when history is requested.
The skill retrieves persistent cloud report history and outputs report links into the chat. This is purpose-aligned for history lookup, but it exposes stored report references in the conversation.
从云端接口获取最新完整数据,然后以 Markdown 表格格式输出结果 ... [🔗 查看报告](reportImageUrl)
Confirm the open-id belongs to the current user and avoid sharing report links in chats where others can see them.