Skillv1.0.0

ClawScan security

Outdoor Sports Event Risk Analysis Tool | 户外体育赛事风险分析工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 2:43 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches a video-analysis-for-safety purpose, but contains multiple mismatches and surprising behaviors (silent remote uploads to an external API, local config/DB code, and contradictory SKILL.md rules) that warrant caution before installing or sending sensitive video.
Guidance: This skill will send videos (or video URLs) to a remote analysis API and includes code to read/write YAML config files and potentially create a local SQLite DB in the workspace. Before installing or using it: 1) Verify and trust the remote API endpoints (the default configs point to lifeemergence.com); do not upload sensitive or private videos until you confirm the operator and data retention policy. 2) Inspect RequestUtil implementation (skills/smyx_common/scripts/util.py) to see what metadata is sent with uploads and whether files are stored or retried. 3) Note the SKILL.md rules forbid reading local memory, but the code can create/read config files and a local DB — this inconsistency is suspicious; run the skill in an isolated environment (sandbox/container) if you must test. 4) The open-id retrieval instructions in SKILL.md are inconsistent with the code (they suggest reading an 'api-key' as open-id); be prepared to supply an open-id explicitly if asked. 5) If you require confidentiality or legal compliance (GDPR, HIPAA, etc.), do not use this skill until you confirm where data is hosted and how long it is retained. If anything is unclear from the author, prefer skills from verified sources or request clarification about data flows, retention, and operator identity.
Findings: [network_calls_requests_http_post] expected: Multiple modules import requests and use RequestUtil.http_post to call remote API endpoints (expected for a remote analysis service). [yaml_config_read_write] expected: BaseEnum -> YamlUtil.load will read/create config.yaml files under skill directories (used to load API base URLs). This is expected for configurable API endpoints, but conflicts with SKILL.md's prohibition on reading local memory. [local_sqlite_db_code] unexpected: skills/smyx_common/scripts/dao.py contains code to create/use a local SQLite DB under the workspace data directory. A sports-analysis-only skill does not obviously require a local DB, and this contradicts the SKILL.md ban on local memory usage. [external_default_endpoints] expected: Config files include default base URLs pointing to lifeemergence.com open-api/health endpoints; uploading video data to external service is expected for remote analysis but requires user consent and verification of the service operator.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md implement video-based sports risk analysis and related face/health analysis (files: scripts/sport_analysis.py, skills/face_analysis/*). Network calls to a remote analysis API are present and expected for this purpose. However the SKILL.md also contains paragraphs about smoking detection and other domains and the package ships a large shared 'smyx_common' module (many utilities) which is broader than a single-purpose 'sport analysis' skill — this suggests code reuse and scope creep. The presence of local DB/DAO code and a long list of common utilities is heavier than strictly needed for a simple video upload-and-request flow.
Instruction Scope: concernSKILL.md strictly forbids reading local memory files and LanceDB, and mandates an open-id retrieval sequence (checking skills/smyx_common/scripts/config.yaml first). The code, however, will load/initialize YAML config files via skills/smyx_common/scripts/config.py (BaseEnum -> YamlUtil.load will create/write config.yaml if missing) and the smyx_common dao can create/read a local SQLite DB under the workspace data directory. The SKILL.md requires saving uploaded attachments to a local attachments directory, but the code does not clearly implement that behavior. The open-id retrieval instruction also instructs reading an 'api-key' field as open-id which is a semantic mismatch. Overall the runtime instructions and the actual code disagree about what local state may be read/written.
Install Mechanism: noteThere is no install spec (instruction-only) which reduces installer risk, but the repository includes many code files and requirements.txt in skills/smyx_common and face_analysis listing dozens of packages. Because no install mechanism is declared, users' environment may not have required dependencies; the large requirements list is disproportionate to the stated single-skill purpose and increases the risk if someone manually installs them. No external download URLs or installers were found.
Credentials: concernRegistry metadata lists no required env vars, but the code reads environment variables in ConstantEnum.init (OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID) to set CURRENT__OPEN_ID. The SKILL.md enforces open-id retrieval in a specific order (config files -> workspace config -> user prompt) and forbids auto-generating open-id, but the code will accept an open-id from environment or command-line. The skill will (by design) transmit uploaded videos or video URLs to remote API endpoints (ApiEnum BASE_URL_* configured in skills/smyx_common/scripts/config.yaml). There is no declared primary credential but config.yaml contains base URLs and placeholders for api-key; videos and potentially PII could be sent to an external domain (lifeemergence.com in shipped configs) without clear, explicit authentication — this is a proportionality and privacy concern.
Persistence & Privilege: concernalways:false (good). However the package contains code that will create and write config YAML files (YamlUtil.load creates files if absent) and smyx_common.dao will create a local SQLite DB under the workspace data directory. SKILL.md explicitly forbids reading local memory files, but the code may create/read workspace-local files and a DB. The skill does not request elevated agent privileges in metadata, but its ability to write to the workspace and persist data is non-trivial and contradicts the stated prohibition on local-memory access.