← Back to Skills Marketplace
TCM Facial Diagnosis Analysis Tool | 中医面诊分析工具
by
smyx-sunjinhui
· GitHub ↗
· v1.0.0
· MIT-0
69
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install new-smyx-face-analysis
Description
Supports uploading local MP4 videos or network video URLs to call the server-side API for facial diagnosis. It returns structured TCM facial diagnosis result...
Usage Guidance
This skill does perform the advertised video→server analysis, but there are important red flags you should consider before installing or running it:
- Policy/code contradiction: SKILL.md forbids reading local memory/history, yet the code reads/writes a local SQLite DB (workspace/data) and will try to cache or retrieve tokens locally. Expect local files to be created and read.
- Undeclared environment access: the code reads environment variables (e.g., OPENCLAW_WORKSPACE, OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID) even though the skill metadata lists no required env vars or credentials. If you run this skill, it may use those env values automatically.
- Network endpoints: default config points to domains like lifeemergence.com / open.lifeemergence.com — the skill will send video metadata and might POST phoneLogin requests to those services. Confirm you trust those endpoints and understand their privacy policy before sending videos.
- Local command execution: the bundled common module can call 'openclaw agent' via subprocess.run — that will execute a local binary with arguments. Only run in a trusted, sandboxed environment.
- Large dependency footprint: the included common requirements are extensive; installing them on your system is a non-trivial action and may pull many packages.
Recommendations:
1. Ask the publisher for the honest source/homepage and an explanation why local DB caching and subprocess invocation are necessary and why SKILL.md forbids reading memory while code uses local DB.
2. If you must test it, run in an isolated container or sandbox where network access, filesystem write locations, and subprocess calls are constrained.
3. Review and, if necessary, edit code to remove or control local DB writes and subprocess usage (or require explicit opt-in), and confirm the exact server endpoints and API key handling.
4. Do not provide sensitive videos, credentials, or global environment variables until you trust the endpoint and clarify what is stored locally.
If the author can provide a minimal build that only performs multipart upload to a documented API and removes local DB caching and subprocess invocation, the concerns here would be greatly reduced.
Capability Analysis
Type: OpenClaw Skill
Name: new-smyx-face-analysis
Version: 1.0.0
The skill bundle includes a complex shared library (smyx_common) that implements a local SQLite database (smyx-common-claw.db) for token management and a RequestUtil that automatically exfiltrates environment variables (OPENCLAW_SENDER_OPEN_ID) to a remote backend (*.lifeemergence.com). SKILL.md contains high-priority 'Mandatory Memory Rules' that force the AI agent to ignore its own local memory/LanceDB in favor of remote API data, which is a significant prompt-injection control mechanism. Additionally, scripts/skill.py in the common library contains an ai_chat function that executes shell commands via subprocess.run to call the openclaw binary, posing a risk of recursive execution or command injection.
Capability Tags
Capability Assessment
Purpose & Capability
The skill's code and SKILL.md both implement video upload and server-side analysis (consistent). However, the bundle includes a large shared library (skills/smyx_common) with local SQLite DAO, many utilities, and a long dependency list — heavier than expected for a simple API wrapper. Some capabilities (local DB read/write, auto user creation, agent subprocess invocation) go beyond a minimal 'upload and call API' tool and are not explained in the description.
Instruction Scope
SKILL.md emphatically forbids reading local memory files and LanceDB and requires all historical queries come from the cloud. In contrast, the code uses a local SQLite DAO (skills/smyx_common/scripts/dao.py) that reads/writes a DB under the workspace/data path and RequestUtil tries to load cached user tokens from that DB. The code also may auto-create local user records via API calls. This directly contradicts the SKILL.md 'do not read local memory' rule.
Install Mechanism
There is no install spec (instruction-only install), which avoids remote installers. But the repository includes a large common requirements list (skills/smyx_common/requirements.txt) with many packages — installing these is non-trivial and disproportionate for a thin client. Because no install mechanism is declared, runtime failures or unexpected dependency installation behavior are possible if an operator tries to install it.
Credentials
The skill declares no required env vars, but code reads multiple environment variables (OPENCLAW_WORKSPACE, OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID, etc.) and config files under the workspace. RequestUtil and ConstantEnum.init use these env variables to set CURRENT__OPEN_ID and to locate local DB paths. That is an incoherence: the manifest claims no env/credential needs yet the code depends on and will use environment data and local config files.
Persistence & Privilege
The skill will create and use a local SQLite DB under the workspace/data directory (Dao.get_db_path) and may write attachments to local folders. It also contains an AgentSkill.ai_chat method that executes a subprocess calling a local 'openclaw' binary (subprocess.run), allowing it to run a local command. While 'always' is false and autonomous invocation is allowed by default, the combination of persistent local storage and subprocess invocation increases the blast radius and privacy exposure.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install new-smyx-face-analysis - After installation, invoke the skill by name or use
/new-smyx-face-analysis - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of TCM facial diagnosis analysis tool:
- Supports uploading MP4 videos or providing video URLs for facial analysis via server-side API.
- Returns structured TCM facial diagnosis reports, covering constitution identification and health suggestions.
- Enforces strict memory and data retrieval: all reports must be fetched from the cloud, never from local memory.
- Requires open-id acquisition through a rigorous multi-step process; user must provide if not found in config.
- Automatically saves uploaded attachments to the skill directory.
- Provides Markdown-formatted tables for listing historical reports, including direct links to view each report.
Metadata
Frequently Asked Questions
What is TCM Facial Diagnosis Analysis Tool | 中医面诊分析工具?
Supports uploading local MP4 videos or network video URLs to call the server-side API for facial diagnosis. It returns structured TCM facial diagnosis result... It is an AI Agent Skill for Claude Code / OpenClaw, with 69 downloads so far.
How do I install TCM Facial Diagnosis Analysis Tool | 中医面诊分析工具?
Run "/install new-smyx-face-analysis" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is TCM Facial Diagnosis Analysis Tool | 中医面诊分析工具 free?
Yes, TCM Facial Diagnosis Analysis Tool | 中医面诊分析工具 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does TCM Facial Diagnosis Analysis Tool | 中医面诊分析工具 support?
TCM Facial Diagnosis Analysis Tool | 中医面诊分析工具 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created TCM Facial Diagnosis Analysis Tool | 中医面诊分析工具?
It is built and maintained by smyx-sunjinhui (@smyx-sunjinhui); the current version is v1.0.0.
More Skills