家庭消费意图识别
PassAudited by ClawScan on May 1, 2026.
Overview
This skill appears to perform the advertised family chat consumption-intent classification, with only minor deployment/privacy cautions around its optional API server and undeclared Python web dependencies.
This looks safe for local, user-directed classification. Before using the API mode, install only trusted dependencies and consider changing the server to listen on localhost with restricted CORS, especially if the text contains private family conversations.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API usage may fail until extra packages are installed, and users should make sure they install trusted versions of Flask and Flask-CORS.
The API mode depends on third-party Python packages, while the registry requirements only declare python3 and there is no install spec. This is not suspicious by itself, but dependency requirements are under-specified.
from flask import Flask, request, jsonify from flask_cors import CORS
Declare and pin the Python package dependencies for API mode, or document that only the CLI classifier works with the stated python3 requirement.
Other devices or browser origins that can reach the machine may be able to call the classifier service while it is running.
If the API server is run, it listens on all network interfaces and allows cross-origin browser access. The endpoint only classifies submitted text and does not store or exfiltrate data, but family chat text can be sensitive.
CORS(app) # 启用跨域支持 ... app.run(host='0.0.0.0', port=5000, debug=False)
For private use, bind the API to 127.0.0.1, restrict CORS to trusted origins, and avoid sending sensitive family chat text to an exposed service.