xiaoyue-companion

该技能与其声明用途总体一致，未见明显凭据窃取或异常第三方数据中转，故不像恶意技能；但它具备自动对外发布能力，并处理任意网页内容后直接进入发布链路，现实世界影响和间接提示注入风险较高。整体判定为 SUSPICIOUS：主要是高风险自动化发布与外部内容处理，而非确认恶意。

The codebase functions as a feature-rich chat assistant server with multiple integrations (Feishu, ZHIPU/StarClaw, OpenClaw, TTS, and local agent personas). There is no explicit malicious payload or backdoor detected. Primary security concerns center on: (1) loading local soul prompts from a fixed Windows path which could lead to prompt injection if the content is compromised; (2) permissive file uploads for voice cloning without validation; (3) SSRF risk via /api/tts/audio fetch of arbitrary URLs; (4) per-request API key override with potential credential leakage through logs; (5) exposure of internal configuration through health/status endpoints. Mitigations should include: restricting and validating local soul sources, strict file upload validation and storage handling, URL allowlisting for TTS proxy, redacting sensitive data from logs, and authentication/authorization on sensitive endpoints. Overall security risk remains moderate to high until mitigations are implemented.

This is an integration/configuration guide and example code that enables a chat frontend to forward task requests to an OpenClaw agent which executes actions on the host. The code itself does not contain obfuscated or directly malicious payloads, but it enables remote execution capabilities and recommends exposing services publicly and storing/transmitting tokens in plaintext. Without additional access controls, input validation, and command whitelisting this creates a significant attack surface: an attacker who obtains the OPENCLAW_TOKEN or gains access to the exposed endpoint can execute arbitrary actions on the host. Treat this as a legitimate-but-high-risk integration requiring strict hardening before use.

该技能的核心能力与“虚拟伴侣”目的大体一致，主要风险不在明显恶意行为，而在安装来源不可验证以及主动经飞书外发消息/图片。未见凭据窃取、隐蔽外传或可确认的恶意端点；但由于仓库来源缺失、依赖未固定、且具备主动通信能力，整体应判定为 SUSPICIOUS 而非 BENIGN。

SUSPICIOUS: the overall workflow fits the stated purpose, but install trust is weakened by an inconsistent COZE dependency/version and unclear same-org provenance for the credential-consuming package. The skill also processes untrusted external media at scale and describes broad automated downstream actions, so it carries moderate security risk even without clear evidence of outright malware or exfiltration.

SUSPICIOUS. The core conversion behavior is coherent and mostly local, but the skill instructs installation/use of a separate `mineru-ocr` skill from a personal GitHub repo rather than directing users to the official MinerU upstream install path. That transitive trust and supply-chain mismatch raises medium risk, though there is no clear evidence of credential theft, exfiltration, or malware in this skill alone.

SUSPICIOUS: the stated multimedia-video purpose is broadly consistent with the described capabilities, and the listed PyPI dependencies look normal. The main concerns are incomplete install provenance for agentkit-samples, unspecified external API endpoints/credential flows, and explicit dependence on another skill, which expands trust scope beyond what is documented here.

该技能整体目的与能力基本一致，安装来源也较正常，因此不像伪装型恶意技能；但文档直接暴露疑似真实 COZE_API_KEY 是严重问题，且允许将图片与密钥发送到任意 VISION_API_BASE，带来中等偏高的数据泄露风险。综合判定为 SUSPICIOUS，而非确认恶意。