📸 ScanWow Sync — 手机扫描同步
v1.1.0通过安全 webhook 将 ScanWow iOS 应用与 OpenClaw agent 实时同步,手机高质量 OCR 扫描结果秒级直达工作区,无需手动上传。
0· 573·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to do what it says (receive OCR text via webhook and save it locally), but there are a few things to double-check before you install or run it:
- Metadata mismatch: SKILL.md expects SCANWOW_TOKEN and SCANWOW_DIR environment variables, but the registry lists none. Make sure to set SCANWOW_TOKEN to a strong secret and configure SCANWOW_DIR to a safe directory before running.
- Keep the server bound to 127.0.0.1 and use a trusted TLS tunnel (cloudflared/ngrok/Tailscale) rather t...详细分析 ▾
ℹ 用途与能力
The name/description (receive OCR scans via webhook) align with the provided instructions: a small HTTP webhook that authenticates with a bearer token and writes received text to files. No unrelated credentials, binaries, or installs are requested. The main mismatch is that the runtime instructions expect environment variables (SCANWOW_TOKEN, SCANWOW_DIR) although the registry lists no required env vars.
⚠ 指令范围
SKILL.md instructs the agent/operator to run a local Python webhook that binds to 127.0.0.1 and writes incoming JSON.text into files. That is within the stated purpose, but the instructions also read environment variables (SCANWOW_TOKEN, SCANWOW_DIR) that are not declared in the skill metadata. The instructions also recommend exposing the local server via third-party tunnels (ngrok, cloudflared), which increases operational risk if misconfigured. The webhook writes files to disk (default '.'), so the operator must ensure scans don't get stored in sensitive directories.
✓ 安装机制
There is no install spec and no code files beyond the SKILL.md snippet (instruction-only). This is the lowest-risk install model: nothing would be automatically downloaded or written by an installer.
⚠ 凭证需求
The skill behavior requires a secret token for authentication (SCANWOW_TOKEN) and optionally a path (SCANWOW_DIR), but the registry lists no required environment variables or primary credential. Requesting a single bearer token is proportional to the task, but the metadata omission is an incoherence that could confuse users and automated controls (e.g., secrets managers won't know to provide SCANWOW_TOKEN).
✓ 持久化与权限
The skill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skill configurations. The agent can invoke it autonomously (platform default), which is expected for a user-invocable webhook handler.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/2/22
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install scanwow-sync
镜像加速npx clawhub@latest install scanwow-sync --registry https://cn.longxiaskill.com