Package Detection Skill | 包裹检测技能

Detects the presence of delivery packages within the target surveillance area; suitable for inventory checks and unattended alerts at community stations, res...

Key things to consider before installing or using this skill: - Incoherent documentation: The SKILL.md mixes package-detection text with unrelated health/face-analysis content — this indicates copy-paste reuse and increases the code footprint. Treat that as a sign to inspect the code before trusting it. - Network behavior: The scripts call remote APIs (default base URLs in skills/smyx_common config point to lifeemergence.com domains). If you plan to use this, verify the API endpoints, who operates them, and whether you trust them. Do not supply sensitive credentials or an open-id until you confirm the endpoint and operator. - Local persistence and file saving: The skill will accept uploads and the documentation instructs saving attachments to disk. The included DAO can create SQLite files under the workspace 'data' directory. If you have privacy concerns, run it in an isolated/sandbox environment and review where files are written. - Environment/credential mismatch: Although the registry claims no required env vars, the code reads several environment variables and configuration files. Check skills/smyx_common/scripts/config.yaml and the workspace config path(s) that the SKILL.md references. The open-id acquisition rules are strict; ensure you understand what identifier the skill expects and why. - Review RequestUtil / network code: The shared util module likely implements HTTP calls and auth headers. Inspect skills/smyx_common/scripts/util.py to confirm what information is sent to remote servers (file contents, headers, tokens) before providing real data. - Minimize risk: If you need this capability, run the skill in a controlled environment (isolated container or VM), avoid passing real credentials/open-ids until you verify endpoints, and confirm attachments are deleted after processing if required. If you want, I can: - Summarize exactly which files/functions perform network calls and where they send data (I can scan util.py, api_service classes, and the package_detection flow). - Highlight where files are written on disk and list the exact paths constructed by the code. - Suggest a minimal sandboxed test procedure to validate behavior safely.

Type: OpenClaw Skill Name: smyx-package-detection-analysis Version: 1.0.0 The skill bundle contains a significant amount of unrelated code, including a complete 'face_analysis' sub-skill for TCM health assessments, which is irrelevant to package detection. The SKILL.md file includes aggressive 'Mandatory Rules' (prompt instructions) that force the AI agent to bypass its standard memory systems (LanceDB/local files) and exclusively use the provided API scripts. Furthermore, the 'smyx_common' utility automatically attempts to register users by sending their 'open-id' (which the instructions suggest could be a phone number) to a remote endpoint (lifeemergence.com) and stores authentication tokens in a local SQLite database (smyx-common-claw.db). While these behaviors may be part of a legitimate service framework, the excessive code surface and instructions to bypass agent memory are highly suspicious.