瑜伽学员管理
PassAudited by ClawScan on May 11, 2026.
Overview
This appears to be a legitimate local yoga student manager, but it stores student records and SMTP email credentials locally and sends records through the configured mailbox.
Before installing, be comfortable with storing student data and an SMTP app password in the skill folder. Use an app-specific email code, protect config.json and yoga_students.db, verify where reports are emailed, and prefer a complete trusted source package.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the config file may obtain the SMTP credential and potentially send email as that account.
The skill saves the configured SMTP account and password/app authorization code in a local JSON config file so it can send email notifications.
CONFIG_PATH = Path(__file__).parent / "config.json" ... 'email': email, 'password': password ... save_config(config)
Use an app-specific email authorization code, protect file permissions, and consider moving the credential to a keychain or environment variable.
The local database may contain sensitive student and business information that remains on disk between sessions.
The skill creates a persistent local SQLite database containing student identity/contact details, notes, courses, prices, and deduction logs.
DB_PATH = Path(__file__).parent / "yoga_students.db" ... name TEXT ... phone TEXT ... wechat TEXT ... notes TEXT
Store the skill directory securely, avoid syncing the database to public locations, and back it up or delete it intentionally when no longer needed.
Student information leaves the local machine via the chosen email provider when deduction records or full reports are sent.
Formatted student records are sent through the configured SMTP provider; the normal wrapper defaults to sending to the configured sender address.
recipient = to_email or sender ... server.sendmail(sender, [recipient], msg.as_string())
Confirm the SMTP server and recipient, use TLS/app passwords, and avoid putting highly sensitive information in student notes if it will be emailed.
No suspicious behavior is shown in the visible code, but assurance is lower because one file was not fully available in the review artifact.
The provided review artifact does not include the complete database.py source, limiting verification of the unseen portion from the supplied materials.
"truncated": true; content ends with "...[truncated]"
Install only from a trusted source and prefer a release where the full source is available for review.