Contactless Health Risk Screening Tool | 非接触式健康风险检测分析工具

Combines frontal facial image capture with multimodal physiological feature analysis to provide early risk screening and alerts for chronic and acute conditi...

Summary of practical concerns and steps before installing: - Data flows and privacy: This skill will accept facial images/videos and send them to remote APIs (base URLs found in smyx_common config point to lifeemergence.com domains). If you install it, highly sensitive biometric data will leave your machine — confirm you trust the remote service owner, their data retention and encryption practices, and that you have user consent. - Undeclared env/config access: The manifest claims no required env vars, but the code reads OPENCLAW_WORKSPACE, OPENCLAW_SENDER_OPEN_ID, OPENCLAW_SENDER_USERNAME, FEISHU_OPEN_ID and can read/write YAML config files (skills/smyx_common/scripts/config.yaml). Expect the skill to look at or create files under the workspace and to persist a local SQLite DB. If that surprises you, do not install. - Local persistence and writes: The skill will save attachments and may create a local DB under a workspace/data path and may create config YAML files if missing. Review those file locations and ensure they're acceptable for your environment (sandbox first). - Missing declaration of credentials: The code references API keys and has optional --api-key support but the registry lists no primary credential. Before use, determine what API endpoint and API key you must supply, who operates that endpoint, and how keys are stored and protected. - Medical/regulatory caution: This is a health-related tool that outputs screening suggestions. It explicitly says it is not a diagnosis. If you plan to deploy for real users (especially elderly or clinical settings), verify legal/regulatory compliance and clinical validation. - Recommended actions: - Inspect or grep the config files (skills/smyx_common/scripts/config*.yaml) to confirm the configured API base URLs and whether they point to a provider you trust. - Run the skill in a sandboxed environment (isolated workspace) first to observe files created under OPENCLAW_WORKSPACE and attachments/ and data/ so you can audit persistence. - If you cannot verify the remote API operator or data handling policies, do not use with real personal/biometric data. - If you need to proceed, require explicit consent from data subjects and prefer supplying an API key you control; review where and how the skill stores that key (config file) and secure it. What would change this assessment: providing an authoritative source/homepage for the skill and documentation from the API operator describing data handling, explicit manifest declarations of environment variables and file-write behavior, or removal of local DB/config creation would increase confidence. Conversely, evidence that the remote endpoints are untrusted or that the skill exfiltrates data beyond the described API would raise the verdict to malicious.

Type: OpenClaw Skill Name: smyx-contactless-health-risk-detection-analysis Version: 1.0.0 The skill implements a contactless health screening tool that captures facial images/videos and uploads them to a remote service (lifeemergence.com) for analysis. It contains aggressive prompt instructions in SKILL.md ('Forced Memory Rules') designed to override the AI agent's standard behavior by prohibiting the use of local memory and forcing cloud API usage. Technically, the bundle includes risky capabilities such as executing system commands via subprocess.run in skills/smyx_common/scripts/skill.py and storing authentication tokens/user identifiers in a local SQLite database (smyx-common-claw.db). While these actions appear aligned with the stated purpose of the tool, the combination of biometric data collection, forced API reliance, and system-level execution triggers a suspicious classification.