📦 observerclaude — 用户行为观察
v1.0.0常驻 OpenClaw 的 UX 研究助手,静默记录用户全部操作与用例轨迹,自动生成日志并提炼洞察,为产品迭代提供数据支持。
0· 320·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
What to consider before installing:
- Privacy impact: This skill is designed to capture verbatim user text from every OpenClaw interaction and persist it locally. If you use the agent for any sensitive work (emails, credentials, personal data), those words may be logged unless redaction works correctly. Assume high-risk data could be recorded.
- Contradictory redaction rules: The observer contains two conflicting instructions: one place says only redact passwords/API keys/financial secrets, wh...详细分析 ▾
⚠ 用途与能力
Name, description, and included files consistently implement a full-featured UX observer that logs interactions, runs surveys, and produces reports — so the declared purpose matches the capabilities. Concerns: the publisher/source is unknown and there is no homepage or provenance; the skill's instructions demand continuous per-conversation observation ('Use this skill on EVERY conversation') even though registry flags do not force always-on privilege (always:false). The skill also instructs creating and writing a persistent data store under ~/.uxr-observer, which is proportionate to its purpose but high-impact and deserves scrutiny given unknown ownership.
⚠ 指令范围
The SKILL.md explicitly tells the agent to capture users' 'ACTUAL WORDS' and persist them immediately to ~/.uxr-observer, run post-task surveys after every completed task, run end-of-day reports, and attempt to create/send Google Docs/email reports via available tools. Critically, the Sub-Agent prompt says 'Only redact passwords, API keys, and financial secrets. Everything else is captured verbatim' while redaction-rules.md enumerates many more PII types to always redact (names, emails, phones, IPs, etc.) — this is a direct contradiction in the runtime instructions. The instructions also require immediate file creation and self-repair behaviors (create missing dirs, reinitialize files), which expand the agent's scope to persistent filesystem writes and self-healing actions on the host.
✓ 安装机制
No install spec — instruction-only skill with one benign Python charting script. No network-download or package installation is declared. generate-charts.py reads local files and uses matplotlib if present; no external code-fetching or remote endpoints are embedded in the code files provided.
ℹ 凭证需求
The skill declares no required environment variables or credentials, which is consistent with the provided code and instructions. However, it instructs using 'Google Docs/Drive tools' and 'available email tools' to create and send reports; those behaviors will rely on platform integrations or additional credentials that are not declared by the skill itself. In other words, it expects the agent/platform to already provide mail/drive access — verify how your environment implements sending (and whether credentials will be used).
⚠ 持久化与权限
The skill requires persistent disk storage under ~/.uxr-observer and directs immediate, append-only logging after every interaction. Although always:false (not force-enabled globally), the SKILL.md expressly demands to 'run continuously' and 'use this skill on EVERY conversation', which effectively requires frequent autonomous invocation. This combination (continuous logging + immediate persistence + autonomous invocation) significantly increases privacy risk and blast radius if misconfigured or if redaction is incorrect.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/4
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install observerclaude
镜像加速npx clawhub@latest install observerclaude --registry https://cn.longxiaskill.com