AI穿搭助手,帮用户管理衣橱、推荐搭配、逛街种草咨询
Security Analysis
medium confidenceThe skill's stated purpose (wardrobe/outfit assistant) is plausible, but there are inconsistencies between the manifest/instructions and the shipped code (missing runtime/install declarations, hardcoded paths, and external downloads) that warrant caution before installing.
The Skill description and SKILL.md describe a local wardrobe/outfit assistant that can use optional external Vision/Image APIs. However the package contains a substantial Python codebase (main.py, many src/ modules) and scripts but declares no required binaries or install steps. That mismatch (no declared runtime requirement for Python/requirements, yet a full Python project is present) is an incoherence the user should be aware of.
SKILL.md itself stays on-topic (wardrobe management, optional Vision API configuration, local SQLite storage). It does not instruct arbitrary file reads/exfiltration. However included artifacts (download_images.sh) perform many outgoing HTTP downloads to external image hosts; config.yaml exposes optional API keys and endpoints (siliconflow, serper, open-meteo). The runtime behavior will include network calls if optional features are enabled and will write files locally. SKILL.md promises local storage and downgrade behavior when APIs are not configured.
No install spec is provided (lower formal install risk), but the repository clearly expects a Python runtime and third-party packages (requirements.txt present). The manifest does not declare required binaries (python, pip) or an install step, which is inconsistent. Additionally, download_images.sh uses curl to fetch many external images and writes to a hard-coded absolute path (/Users/mac/.openclaw/...), which is brittle and may behave unexpectedly on other systems.
requires.env lists none and SKILL.md shows API keys as optional entries in config.yaml — this is proportionate for optional Vision/Image features. No unexpected secrets are required. Still, optional external providers (siliconflow, serper, possibly OpenAI) are referenced; if you enable them you will supply API keys, so treat them like any external service credential.
The skill does not request always:true, does not declare elevated platform privileges, and appears to store data locally in SQLite. No evidence it attempts to modify other skills or global agent configuration.
Guidance
This package mostly does what it says (a local wardrobe/recommendation assistant), but inspect and take these precautions before installing: (1) The bundle contains a full Python project but the manifest does not declare required runtime binaries — ensure you run it in a controlled Python environment and review requirements.txt. (2) Review download_images.sh and any scripts that make outgoing HTTP requests; the download script writes to a hard-coded /Users/mac/... path and will fetch many external images — run such scripts only if you trust the sources or after editing the path. (3) Optional external providers (siliconflow, serper, OpenAI) are referenced — only add API keys if you trust those services and understand what data will be sent. (4) Confirm the authorship/source (owner ID looks opaque and homepage is missing); prefer skills from known maintainers. (5) If you want to be safe, run the skill in a sandboxed environment, inspect the Python modules (especially services/vision.py and services/shopping.py) for any unexpected network or file operations, and back up any local data before enabling automatic downloads or backups.
Latest Release
v0.3.3
增强吊牌识别、精细化模板库、用户画像与个性化推荐
Popular Skills
Published by @89kpjddmtb-ui on ClawHub
