还活着么监测服务
v1.0.1提供独居人群每日签到与自动监测,支持多渠道紧急通知,保障用户安全与健康状态。
⭐ 0· 230·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (daily alive-check + emergency notifications) is consistent with the code's endpoints and notification/payment modules. However the package/registry metadata lists no required environment variables while the SKILL.md and source expect SKILLPAY_API_KEY and optional notifier credentials (TELEGRAM_BOT_TOKEN, DISCORD_WEBHOOK_URL, EMAIL_USER/EMAIL_PASS, SMS_API_KEY). Additionally, notifier code contains copy-pasted GitHub-trending text/templates (e.g., embeds titled "GitHub Trending Monitor"), and package.json includes discord.js though the Discord notifier posts via axios — these indicate sloppy composition and partial reuse of unrelated code.
Instruction Scope
Runtime instructions are straightforward (npm install / npm start) and the SKILL.md describes required config (SkillPay API key and optional notifier tokens). The code only reads/writes local ./data files and calls external services (SkillPay API, Telegram/Discord/email/webhooks). It does not attempt to read host secrets or system files outside the skill directory. However SKILL.md/README include/expect environment variables that are not declared in the registry metadata; README and skill.json also contain a plaintext API key embedded in the files (see below), which is a security concern and inconsistent with the 'no required env vars' metadata.
Install Mechanism
There is no platform install spec (it is instruction-driven). Installation uses npm install as documented. Dependencies are common (axios, express, telegraf, nodemailer, node-cron). Some dependencies/strings appear unnecessary or inconsistent (discord.js listed but not used; notifier templates referring to a different product), which suggests copy-paste but not direct install-time maliciousness.
Credentials
Requested credentials (SkillPay API key and optional notifier tokens) are appropriate for payment and notification features. But the registry metadata claiming 'no required env vars' conflicts with the code/SKILL.md that require SKILLPAY_API_KEY. More importantly, the repository/README/skill.json include an apparent SKILLPAY API key in plaintext (sk_e390b5...), which is a secret disclosure and a red flag: either the key is leaked (someone mistakenly committed a secret) or the package is shipping with a service credential that could be abused. This mismatch and the leaked key justify extra scrutiny.
Persistence & Privilege
The skill does not request 'always: true' and does not attempt to modify other skills or system-wide settings. It stores user data under its own ./data directory and writes local JSON files. It will run scheduled tasks via node-cron, which is expected for monitoring. Overall persistence and privileges are proportional.
What to consider before installing
Key points to consider before installing or running this skill:
- Do not run it on a sensitive or production machine until you review and fix issues: the package contains an apparent SkillPay API key in plaintext (README and skill.json). Treat that as a leaked secret — ask the author to remove it and rotate the key immediately.
- The registry metadata declares no required environment variables but the code and SKILL.md require SKILLPAY_API_KEY and optional notifier tokens (Telegram/Discord/Email/SMS). Ensure you supply only credentials you control and limit their permissions.
- The notifier modules include copy-pasted templates referencing an unrelated "GitHub Trending Monitor" and some dependencies seem unused; this suggests the code was assembled from other projects. Audit message content and behavior (what gets sent to contact webhooks) before trusting it to notify real emergency contacts.
- Verify the SkillPay endpoints and API usage: the payment module will send requests to https://api.skillpay.me. If you plan to enable payments, use an account/API key with minimal scope and monitor for unexpected traffic.
- If you plan to deploy: remove hard-coded credentials, declare required env vars in your deployment config, rotate any leaked keys, and run the server in an isolated environment. Consider code cleanup (remove unused deps like discord.js if unused) and test notification flows with test accounts before adding real emergency contacts.
If you want, I can list the exact files/lines where the plaintext API key and mismatches occur and suggest a minimal remediation checklist (rotate key, remove key from repo, update skill metadata to declare required env vars, fix notifier templates).Like a lobster shell, security has layers — review code before you run it.
latest
还活着么监测服务
独居人群每日签到监测服务,关爱独居安全。
功能介绍
核心功能
每日签到
- 用户每天签到证明"还活着"
- 可添加心情、状态描述
- 支持语音、文字、图片签到
紧急联系人
- 设置多个紧急联系人
- 分级通知机制
- 支持Telegram、Discord、Email、短信
自动监测
- 每6小时检查用户状态
- 超过24小时未签到自动告警
- 48小时高危状态通知所有联系人
签到历史
- 查看签到记录
- 统计分析
- 导出报告
API 端点
POST /register
注册用户并设置紧急联系人
请求示例:
{
"userId": "user123",
"name": "张三",
"phone": "13800138000",
"emergencyContacts": [
{
"name": "李四",
"relation": "朋友",
"phone": "13900139000",
"telegram": "123456789",
"priority": 1
}
]
}
POST /checkin
用户每日签到
请求示例:
{
"userId": "user123",
"message": "今天状态不错!",
"mood": "😊",
"location": "在家"
}
GET /status/:userId
查询用户签到状态
响应示例:
{
"userId": "user123",
"name": "张三",
"lastCheckin": "2026-03-06T10:30:00Z",
"hoursSinceLastCheckin": 5,
"status": "正常",
"consecutiveDays": 15
}
GET /history/:userId
查看签到历史
查询参数:
days: 查询天数(默认7天)limit: 返回记录数
配置说明
必需配置:
SKILLPAY_API_KEY: SkillPay API密钥
可选配置:
TELEGRAM_BOT_TOKEN: Telegram通知DISCORD_WEBHOOK_URL: Discord通知EMAIL_USER/EMAIL_PASS: 邮件通知SMS_API_KEY: 短信通知
告警流程
- 12小时未签到 → 温馨提醒用户
- 24小时未签到 → 通知第一紧急联系人
- 48小时未签到 → 通知所有紧急联系人,标记高危
使用场景
- 独居老人安全监测
- 独居年轻人互相关心
- 抑郁症患者安全保障
- 慢性病患者日常监测
- 独自旅行安全确认
定价
- 0.001 USDT/天
- 自动通过 SkillPay.me 结算
安装
npm install
npm start
许可证
MIT
Comments
Loading comments...