← 返回 Skills 市场

还活着么监测服务

Name: 还活着么监测服务
Author: zhdryanchang

作者 zhdryanchang · GitHub ↗ · v1.0.1

cross-platform ⚠ suspicious

251

总下载

当前安装

版本数

在 OpenClaw 中安装

/install daily-alive-check

功能描述

提供独居人群每日签到与自动监测，支持多渠道紧急通知，保障用户安全与健康状态。

使用说明 (SKILL.md)

还活着么监测服务

独居人群每日签到监测服务，关爱独居安全。

功能介绍

核心功能

每日签到

用户每天签到证明"还活着"
可添加心情、状态描述
支持语音、文字、图片签到

紧急联系人

设置多个紧急联系人
分级通知机制
支持Telegram、Discord、Email、短信

自动监测

每6小时检查用户状态
超过24小时未签到自动告警
48小时高危状态通知所有联系人

签到历史

查看签到记录
统计分析
导出报告

API 端点

POST /register

注册用户并设置紧急联系人

请求示例：

{
  "userId": "user123",
  "name": "张三",
  "phone": "13800138000",
  "emergencyContacts": [
    {
      "name": "李四",
      "relation": "朋友",
      "phone": "13900139000",
      "telegram": "123456789",
      "priority": 1
    }
  ]
}

POST /checkin

用户每日签到

请求示例：

{
  "userId": "user123",
  "message": "今天状态不错！",
  "mood": "😊",
  "location": "在家"
}

GET /status/:userId

查询用户签到状态

响应示例：

{
  "userId": "user123",
  "name": "张三",
  "lastCheckin": "2026-03-06T10:30:00Z",
  "hoursSinceLastCheckin": 5,
  "status": "正常",
  "consecutiveDays": 15
}

GET /history/:userId

查看签到历史

查询参数：

days: 查询天数（默认7天）
limit: 返回记录数

配置说明

必需配置：

SKILLPAY_API_KEY: SkillPay API密钥

可选配置：

TELEGRAM_BOT_TOKEN: Telegram通知
DISCORD_WEBHOOK_URL: Discord通知
EMAIL_USER/EMAIL_PASS: 邮件通知
SMS_API_KEY: 短信通知

告警流程

12小时未签到 → 温馨提醒用户
24小时未签到 → 通知第一紧急联系人
48小时未签到 → 通知所有紧急联系人，标记高危

使用场景

独居老人安全监测
独居年轻人互相关心
抑郁症患者安全保障
慢性病患者日常监测
独自旅行安全确认

定价

0.001 USDT/天
自动通过 SkillPay.me 结算

安装

npm install
npm start

许可证

MIT

安全使用建议

Key points to consider before installing or running this skill: - Do not run it on a sensitive or production machine until you review and fix issues: the package contains an apparent SkillPay API key in plaintext (README and skill.json). Treat that as a leaked secret — ask the author to remove it and rotate the key immediately. - The registry metadata declares no required environment variables but the code and SKILL.md require SKILLPAY_API_KEY and optional notifier tokens (Telegram/Discord/Email/SMS). Ensure you supply only credentials you control and limit their permissions. - The notifier modules include copy-pasted templates referencing an unrelated "GitHub Trending Monitor" and some dependencies seem unused; this suggests the code was assembled from other projects. Audit message content and behavior (what gets sent to contact webhooks) before trusting it to notify real emergency contacts. - Verify the SkillPay endpoints and API usage: the payment module will send requests to https://api.skillpay.me. If you plan to enable payments, use an account/API key with minimal scope and monitor for unexpected traffic. - If you plan to deploy: remove hard-coded credentials, declare required env vars in your deployment config, rotate any leaked keys, and run the server in an isolated environment. Consider code cleanup (remove unused deps like discord.js if unused) and test notification flows with test accounts before adding real emergency contacts. If you want, I can list the exact files/lines where the plaintext API key and mismatches occur and suggest a minimal remediation checklist (rotate key, remove key from repo, update skill metadata to declare required env vars, fix notifier templates).

功能分析

Type: OpenClaw Skill Name: daily-alive-check Version: 1.0.1 The bundle implements a 'Daily Alive Check' service for solo dwellers, featuring user registration, daily check-ins, and a scheduled monitor to alert emergency contacts. While the core logic is functional, the notification modules (src/notifiers/telegram.js, discord.js, email.js) and payment integration (src/payment.js) contain significant leftover code and hardcoded strings from a 'GitHub Trending Monitor' project, likely due to template reuse. This results in poorly formatted notifications, but there is no evidence of malicious intent, data exfiltration, or unauthorized execution.

能力评估

⚠ Purpose & Capability

The name/description (daily alive-check + emergency notifications) is consistent with the code's endpoints and notification/payment modules. However the package/registry metadata lists no required environment variables while the SKILL.md and source expect SKILLPAY_API_KEY and optional notifier credentials (TELEGRAM_BOT_TOKEN, DISCORD_WEBHOOK_URL, EMAIL_USER/EMAIL_PASS, SMS_API_KEY). Additionally, notifier code contains copy-pasted GitHub-trending text/templates (e.g., embeds titled "GitHub Trending Monitor"), and package.json includes discord.js though the Discord notifier posts via axios — these indicate sloppy composition and partial reuse of unrelated code.

ℹ Instruction Scope

Runtime instructions are straightforward (npm install / npm start) and the SKILL.md describes required config (SkillPay API key and optional notifier tokens). The code only reads/writes local ./data files and calls external services (SkillPay API, Telegram/Discord/email/webhooks). It does not attempt to read host secrets or system files outside the skill directory. However SKILL.md/README include/expect environment variables that are not declared in the registry metadata; README and skill.json also contain a plaintext API key embedded in the files (see below), which is a security concern and inconsistent with the 'no required env vars' metadata.

ℹ Install Mechanism

There is no platform install spec (it is instruction-driven). Installation uses npm install as documented. Dependencies are common (axios, express, telegraf, nodemailer, node-cron). Some dependencies/strings appear unnecessary or inconsistent (discord.js listed but not used; notifier templates referring to a different product), which suggests copy-paste but not direct install-time maliciousness.

⚠ Credentials

Requested credentials (SkillPay API key and optional notifier tokens) are appropriate for payment and notification features. But the registry metadata claiming 'no required env vars' conflicts with the code/SKILL.md that require SKILLPAY_API_KEY. More importantly, the repository/README/skill.json include an apparent SKILLPAY API key in plaintext (sk_e390b5...), which is a secret disclosure and a red flag: either the key is leaked (someone mistakenly committed a secret) or the package is shipping with a service credential that could be abused. This mismatch and the leaked key justify extra scrutiny.

✓ Persistence & Privilege

The skill does not request 'always: true' and does not attempt to modify other skills or system-wide settings. It stores user data under its own ./data directory and writes local JSON files. It will run scheduled tasks via node-cron, which is expected for monitoring. Overall persistence and privileges are proportional.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install daily-alive-check
安装完成后，直接呼叫该 Skill 的名称或使用 /daily-alive-check 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

- 新增详细的功能介绍，包括每日签到、紧急联系人管理、自动监测、签到历史记录及统计分析。 - 明确API端点说明，含请求与响应示例。 - 增加多渠道通知支持（Telegram、Discord、Email、短信）。 - 补充告警流程分级说明，提升紧急响应透明度。 - 列出常见应用场景及定价信息。 - 添加安装和配置指导。

元数据

Slug daily-alive-check

版本 1.0.1

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题