Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code implements the stated live-check and alerting functionality (user registration, checkin, scheduled checks, multi-channel notifiers). However there are clear copy‑paste artifacts (strings like 'GitHub Trending Monitor', email/telegram/discord functions named sendTrendingReport and messaging that references trending repos) that are unrelated to an 'alive check' service and indicate the code was reused without full adaptation.
Instruction Scope
SKILL.md and README instruct normal install/run and specify required config (SKILLPAY_API_KEY and optional notifier tokens). The runtime code reads/writes local data under ./data (users.json/checkins.json) — expected. But SKILL.md/README list SMS and other features that are not implemented (no SMS notifier file), and some notifier functions are mismatched (they expect 'repos' but are called with empty arrays and a message passed in options). Also the manifest/registry metadata earlier claimed 'required env vars: none' while the docs and code expect SKILLPAY_API_KEY — this inconsistency is concerning.
Install Mechanism
This is an instruction + npm project (no external download URLs). Dependencies are standard npm packages (express, axios, telegraf, discord.js, nodemailer, node-cron). Installation via npm install/npm start is typical; no high-risk installers or arbitrary remote archives are used.
Credentials
The service legitimately needs a payment API key (SKILLPAY_API_KEY) and optional notifier tokens. However the skill manifest/registry metadata claimed no required env vars while SKILL.md, README, and src/index.js expect SKILLPAY_API_KEY and notifier tokens — a mismatch. Worse, skill.json in the package contains an apparent SKILLPAY API key value embedded in the repo (hardcoded secret) which is unexpected and risky (secret leak / can be abused).
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It persists user data to a local data/ directory (users.json/checkins.json) and schedules periodic checks via node-cron — behavior consistent with a monitoring service. Autonomous invocation (default) is enabled, which is expected for this kind of scheduled monitor.
Scan Findings in Context
[hardcoded_api_key] unexpected: skill.json contains a long SKILLPAY-like apiKey value embedded in the repository. API keys should not be hard-coded in published packages or manifests; this looks like a secret leak or placeholder that could be abused.
[copy_paste_artifacts] unexpected: Multiple notifier modules and email/telegram message templates reference 'GitHub Trending Monitor' and use function names like sendTrendingReport — inconsistent with the 'alive check' purpose and indicating reused code that wasn't fully adapted.
What to consider before installing
Key things to consider before installing or using this skill:
- Do not treat the bundled apiKey as safe: skill.json contains a hard-coded SKILLPAY-looking API key. Assume it is leaked or invalid; if you use the SkillPay integration, replace it with your own key and rotate any exposed key immediately.
- Manifest vs. docs mismatch: the registry metadata said no required env vars but SKILL.md/README and the code expect SKILLPAY_API_KEY and optional notifier tokens (Telegram/Discord/Email). Make sure to supply secure credentials via environment variables, not by embedding them in files.
- Copy‑paste artifacts: notifier code and templates reference an unrelated 'GitHub Trending Monitor'. This is likely reused code; review notifier behavior carefully so alerts sent to contacts contain correct information and no unexpected content.
- Test in an isolated environment: run the service locally in a sandbox, with test users and test contact endpoints (not real emergency contacts), to confirm notifications and scheduled checks behave as expected.
- Privacy and safety: the skill stores user data locally (data/users.json, data/checkins.json). Ensure the host environment has appropriate disk encryption, backups, and access controls. Confirm compliance with local laws and the consent of monitored users.
- Payment integration: verify SkillPay endpoint (https://api.skillpay.me) and confirm what data is sent during payment verification/logging; consider running with SKILLPAY disabled until you audit it.
- Before production use: eliminate unused/incorrect code (trending-related templates), ensure SMS notifier is implemented if you plan to rely on SMS, and conduct code review or security audit if real people’s safety depends on the system.
If you want, I can list the exact lines/files where the hard-coded apiKey and the 'GitHub Trending Monitor' strings appear and suggest concrete changes to sanitize the code.Like a lobster shell, security has layers — review code before you run it.
latest
还活着么监测服务
独居人群每日签到监测服务,关爱独居安全。
功能介绍
核心功能
每日签到
- 用户每天签到证明"还活着"
- 可添加心情、状态描述
- 支持语音、文字、图片签到
紧急联系人
- 设置多个紧急联系人
- 分级通知机制
- 支持Telegram、Discord、Email、短信
自动监测
- 每6小时检查用户状态
- 超过24小时未签到自动告警
- 48小时高危状态通知所有联系人
签到历史
- 查看签到记录
- 统计分析
- 导出报告
API 端点
POST /register
注册用户并设置紧急联系人
请求示例:
{
"userId": "user123",
"name": "张三",
"phone": "13800138000",
"emergencyContacts": [
{
"name": "李四",
"relation": "朋友",
"phone": "13900139000",
"telegram": "123456789",
"priority": 1
}
]
}
POST /checkin
用户每日签到
请求示例:
{
"userId": "user123",
"message": "今天状态不错!",
"mood": "😊",
"location": "在家"
}
GET /status/:userId
查询用户签到状态
响应示例:
{
"userId": "user123",
"name": "张三",
"lastCheckin": "2026-03-06T10:30:00Z",
"hoursSinceLastCheckin": 5,
"status": "正常",
"consecutiveDays": 15
}
GET /history/:userId
查看签到历史
查询参数:
days: 查询天数(默认7天)limit: 返回记录数
配置说明
必需配置:
SKILLPAY_API_KEY: SkillPay API密钥
可选配置:
TELEGRAM_BOT_TOKEN: Telegram通知DISCORD_WEBHOOK_URL: Discord通知EMAIL_USER/EMAIL_PASS: 邮件通知SMS_API_KEY: 短信通知
告警流程
- 12小时未签到 → 温馨提醒用户
- 24小时未签到 → 通知第一紧急联系人
- 48小时未签到 → 通知所有紧急联系人,标记高危
使用场景
- 独居老人安全监测
- 独居年轻人互相关心
- 抑郁症患者安全保障
- 慢性病患者日常监测
- 独自旅行安全确认
定价
- 0.001 USDT/天
- 自动通过 SkillPay.me 结算
安装
npm install
npm start
许可证
MIT
Comments
Loading comments...