by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's functionality mostly matches its description, but it claims automatic syncing to Feishu without declaring or documenting how Feishu credentials are provided, which is an incoherence that could lead to unintended data exfiltration of sensitive child data.
评估建议
This skill appears functionally coherent except for how it handles Feishu (飞书) syncing: the README and SKILL.md mention a feishu_doc_token but the skill metadata does not declare any required credentials. Before installing, ask the author how Feishu authentication is provided and stored. If you plan to use Feishu sync, prefer a scoped, short-lived token limited to a single document; do not reuse broad account tokens. Verify the skill will only write to the advertised memory/baby-words-database.j...详细分析 ▾
ℹ 用途与能力
The name/description (record and track baby words, categorize, sync to Feishu) align with the included files and instructions. However, the README and SKILL.md mention automatic Feishu synchronization and an optional feishu_doc_token, yet the skill metadata declares no required credentials or env vars — this mismatch is unexpected and unexplained.
ℹ 指令范围
SKILL.md explicitly tells the agent to parse input, update a local database at memory/baby-words-database.json, and '同步飞书' (sync to Feishu cloud document). The instructions do not tell the agent to read unrelated system files, but they do direct communication with an external service (Feishu). The instructions are otherwise specific about the DB path and record format, but vague about the exact Feishu API endpoints and how auth is obtained.
✓ 安装机制
No install spec (instruction-only) and the single Python helper is a simple initializer that only prints a JSON structure. Nothing in the install surface writes or executes downloaded code, so install risk is low.
⚠ 凭证需求
The skill requires access to an external Feishu document (sensitive personal data). The README shows a feishu_doc_token example but the skill metadata lists no required env vars or primary credential. Requesting or using a cloud doc token is proportionate to the stated Feishu-sync feature, but failing to declare it is a red flag: it's unclear how the token is supplied, stored, or restricted. This ambiguity increases the risk of accidental exposure of children's data.
✓ 持久化与权限
The skill is not always-enabled, is user-invocable, and does not request elevated platform privileges or modify other skills. It writes to a local memory path (memory/baby-words-database.json) which is consistent with its purpose.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/9
Initial release of Baby Words Tracker - Enables easy recording of baby’s spoken words and phrases in multiple languages, with support for bracket notation for partially spoken words. - Automatically classifies new vocabulary as single, double, triple-character words, or full sentences. - Avoids duplicate entries and generates real-time vocabulary statistics and growth reports. - Supports Mandarin, Cantonese, English, and more. - Syncs all records and reports to Feishu cloud documents for easy access by parents.
● Pending
安装命令
点击复制官方npx clawhub@latest install baby-words-tracker
镜像加速npx clawhub@latest install baby-words-tracker --registry https://cn.longxiaskill.com