Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MicroPython Skills
v1.0.0Program and interact with embedded development boards (ESP32, ESP32-S3, ESP32-C3, ESP8266, NodeMCU, Raspberry Pi Pico, RP2040, STM32) through real-time REPL....
⭐ 1· 117·1 current·1 all-time
by@0x1abin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name and description align with the included scripts and SKILL.md. Required binaries (python3, mpremote, esptool) are appropriate for probing devices, flashing firmware, and executing code. The presence of device_probe, firmware_flash, webrepl_exec and wifi_setup scripts is coherent with the stated capabilities.
Instruction Scope
The SKILL.md instructs the agent to run bundled scripts that modify device state (write files, update boot.py, enable WebREPL, erase/flash firmware). The wifi_setup flow requests user Wi‑Fi credentials (expected) but the WiFi setup code writes plaintext credentials to device files (boot.py and webrepl_cfg.py) and prints the webrepl password inside a RESULT JSON — this contradicts the skill's own safety guidance that passwords should not be saved or echoed. Firmware flashing and erase_flash behaviors are labeled 'Dangerous' in the references, which is appropriate, but the scripts must strictly require explicit user confirmation; ensure the agent never auto-uses --yes without an explicit user consent.
Install Mechanism
No install spec (instruction-only) reduces install-time risk. Firmware downloads in firmware_flash.py come from micropython.org (trusted), and scripts use standard Python stdlib and expected third-party tools. No untrusted or short‑URL downloads or arbitrary remote code hosting were found.
Credentials
The skill requests no environment variables or external credentials (good). However, it explicitly asks users for Wi‑Fi SSID/password and a WebREPL password and then persists and prints those secrets in device files and script output — this is disproportionate from a secrecy standpoint and risks accidental exfiltration via logs or agent output parsing.
Persistence & Privilege
The skill does not set always:true and does not require system-level credentials. It does modify device‑local persistent storage (writes boot.py, webrepl_cfg.py, backs up files, erases/flashes device). Those device-level persistent actions are expected for this domain but are high‑impact operations; they should always require explicit, unambiguous user confirmation before execution.
What to consider before installing
This skill appears to be what it claims (tools for MicroPython boards) but has two important caution points: (1) wifi_setup.py writes Wi‑Fi credentials and a WebREPL password to files on the device and prints the password in a RESULT JSON — that can expose secrets in logs or agent output. (2) firmware_flash.py performs full flash/erase operations which can permanently erase device files and brick devices if used incorrectly. Before installing or using: review the wifi_setup.py and firmware_flash.py source yourself; do not supply Wi‑Fi passwords unless you accept they will be stored on the device and may appear in output; never allow the agent to run flashing (--yes) or erase operations without explicit, informed user confirmation; back up boot.py/main.py before any write/flash; and test on non-critical hardware first. If you want, I can point out the exact lines where passwords are printed/written and propose safe edits (e.g., stop printing passwords, avoid writing plaintext boot.py, remove passwords from RESULT output).Like a lobster shell, security has layers — review code before you run it.
latestvk9799fmphjjq954c8knb1f8w5x83j12d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔌 Clawdis
OSLinux · macOS · Windows
Binspython3, mpremote, esptool