VOVO超能数据分析师
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is a disclosed remote data-analysis connector that uploads user-selected files and prompts to a configured VOVO API, so it appears purpose-aligned but privacy-sensitive.
Install only if you intend to use VOVO as a remote data-analysis service. Verify the official API host, use a revocable token, and avoid uploading confidential or regulated files unless you trust the provider's security, retention, and remote sandbox behavior.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Files and analysis instructions you choose may be processed outside your machine by the VOVO service.
The user's prompt and uploaded file IDs are sent to a remote VOVO super-agent for analysis.
start_payload = {"appId": "1", "query": query, "files": file_ids, "is_network_enabled": True, "taskType": "analysis"}Only use this skill with data you are comfortable sending to the configured VOVO service, and check the provider's privacy and retention terms.
The remote sandbox may use network access while analyzing your uploaded data.
The remote analysis task is explicitly launched with network access enabled, with no documented user option in the artifacts to disable it.
"is_network_enabled": True
Avoid uploading highly sensitive files unless you trust the remote sandbox behavior; the publisher should document what remote network access is used for.
If VOVO_API_HOST is wrong or untrusted, the API token and uploaded files could be sent to that host.
The VOVO API token is read from the environment and sent as the authentication header to the configured API host.
headers = {"vovo-key": VOVO_API_TOKEN}Set VOVO_API_HOST only to the verified official HTTPS endpoint and keep VOVO_API_TOKEN scoped and revocable where possible.
Domain confusion can lead to misconfiguration or accidental disclosure of files and tokens to the wrong service.
The documentation references multiple related service domains for a skill that receives files and tokens, so users should verify which endpoint is official.
访问 VOVO 官方网站 (synvort.com) ... export VOVO_API_HOST="https://api.vort-ai.com"
Confirm the official VOVO domain and API host from a trusted source before configuring credentials.
Users may over-trust the remote service's data handling based on claims that cannot be verified from the local artifacts alone.
The artifact makes service-level privacy and retention assurances that are not locally enforceable by the included script.
阅后即焚:云端代码沙盒在完成运算并返回报告/图表后,会自动销毁临时执行环境。
Treat remote retention and deletion claims as provider policy claims, and verify them before uploading confidential data.