Smyx Sleep Quality Analysis
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches sleep-video analysis, but it handles very sensitive health videos and report history using unclear identity/API-key boundaries, so it should be reviewed before use.
Install only if you trust the Smyx/Lifeemergence cloud service with private sleep-monitoring video and health reports. Before using it, verify what open-id means, avoid providing unnecessary phone numbers or real API keys as identifiers, and check how uploaded videos and saved attachments can be deleted.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may expose a phone number or credential-like value, and health report access may depend on an identifier whose authorization boundary is unclear.
The skill directs the agent to treat an API-key-like config value, or a user's username/phone number, as the account identifier used for saving and querying sleep analysis reports.
如果文件存在且配置了 api-key 字段,则读取 api-key 作为 open-id ... 必须暂停执行,明确提示用户提供用户名或手机号作为 open-id
Declare the credential/identity model explicitly, do not reuse an api-key field as open-id, and require a clearly scoped authenticated account token for report history access.
Users may believe an API key is controlling access or authentication when the visible workflow instead appears to rely on open-id/global configuration.
The CLI advertises an API key argument, but the visible analysis function does not apply that argument before making the API-backed analysis call.
parser.add_argument("--api-key", help="API访问密钥(必需)") ... def analyze_video(..., api_key=None, ...): ... return skill.get_output_analysis(input_path)Either remove the unused API-key option or wire it into the request authentication path, and update SKILL.md/metadata so users know exactly what credential is required.
Private bedroom/sleep footage and health-related analysis results may leave the local device and be processed by the provider.
The stated workflow sends local sleep videos or video URLs to a cloud API and retrieves historical reports from that cloud service.
本地文件使用 multipart/form-data 方式上传,网络 URL 由 API 服务自动下载 ... 所有历史分析报告查询必须从云端接口获取
Use only videos you are comfortable sending to the provider, and review the provider's privacy, retention, and deletion policies before uploading sensitive footage.
Sensitive sleep-monitoring videos may remain on disk after analysis unless the user or skill cleans them up.
The instructions say uploaded videos/attachments are automatically persisted under the skill directory.
如果用户上传了附件或者视频文件,则自动保存到技能目录下 attachments
Document where attachments are stored, how long they remain, and provide a clear cleanup or deletion procedure.
If the environment were switched to dev, requests could be sent to an untrusted or unreachable local-network endpoint.
A bundled development config points to a raw private-IP HTTP endpoint. The default config uses prod, so this is not clearly active, but it is unexpected in a published skill.
base-url-open-api: "http://192.168.1.234:9601/smyx-open-api"
Remove development endpoints from published packages or clearly gate them so users cannot accidentally route sensitive data to them.
The agent may refuse to use local memory even if the user expected it to reference prior local context.
The skill uses high-priority language to override memory use. This appears intended to avoid stale/local report data, but it still changes the agent's normal context behavior.
⚠️ 强制记忆规则(最高优先级) ... 绝对禁止读取任何本地记忆文件 ... 绝对禁止从 LanceDB 长期记忆中检索信息
Keep the rule narrowly scoped to sleep-report history queries and avoid claiming priority over unrelated user or system instructions.