Real-time Employee Absence Monitoring Skill | 人员离岗实时监测技能

Real-time monitoring of personnel on-duty status in specific areas based on computer vision and human pose estimation, automatically detects abnormal statuse...

This skill claims to call a cloud API for absence detection, which is reasonable, but there are several red flags you should consider before installing or running it: - Inconsistency: SKILL.md forbids reading local memory, yet the code reads workspace config files, environment variables, and can create a local SQLite DB and attachments. Ask the author which local files the skill will actually access and why local persistence is needed. - Data exfiltration risk: The scripts call remote API endpoints (configurable base URLs) and will upload media files (local video/image) to those endpoints. Verify the API endpoint (ApiEnum BASE_URL values) and that you trust the remote service before uploading any sensitive footage. Do not pass organization/employee credentials or private videos until you confirm the endpoint and privacy policy. - Credentials and config: The skill will read env vars and config YAML under the workspace; ensure these files do not contain unrelated secrets (API keys, DB URLs) before granting execution. Prefer providing only the minimal --open-id / --api-key at runtime rather than leaving broad workspace config populated. - Persistence: The skill will create files (attachments) and a local DB under the workspace; run this in an isolated environment or sandbox (or review and change file paths) if you do not want persistent artifacts stored in your primary workspace. - Dependency / installation: The package includes large requirements but no install instructions. If you intend to run it, install and review dependencies in an isolated virtual environment and inspect RequestUtil (skills/smyx_common/scripts/util.py) to confirm how HTTP requests are made and where data is sent. Recommended actions before use: 1. Request clarification from the publisher about why local DB/DAO and face-analysis components are bundled and whether they are required. 2. Inspect skills/smyx_common/scripts/util.py (especially RequestUtil) to confirm exact network endpoints, headers, and whether any credentials are automatically read or transmitted. 3. Run the skill in a sandboxed environment with dummy data first; do not use real employee footage until you confirm storage and retention policies for remote servers. 4. If you cannot verify endpoints and behavior, decline to install or disable autonomous invocation; require manual invocation and explicitly avoid supplying organizational secrets or unrestricted workspace config files. If you want, I can extract and summarize the RequestUtil and util.py implementations and list all places where network requests or file writes happen to help you decide.

Type: OpenClaw Skill Name: smyx-staff-absence-detection-analysis Version: 1.0.0 The skill bundle exhibits several high-risk behaviors and agent-manipulation tactics. The SKILL.md file contains 'Mandatory Memory Rules' that use high-priority prompt instructions to force the AI agent to ignore local memory files and LanceDB, mandating that all data be fetched from and sent to a specific cloud service (lifeemergence.com); this effectively bypasses local context/auditing. The code includes a complex common utility layer (smyx_common) that implements a local SQLite database (smyx-common-claw.db) to manage user tokens and a subprocess wrapper (AgentSkill.ai_chat) that allows the skill to recursively execute the 'openclaw' CLI. While these features support the stated goal of cloud-based computer vision analysis, the aggressive redirection of data flow and the ability to trigger secondary agent processes warrant a suspicious classification. IOCs include: open.lifeemergence.com and lifeemergence.com.