ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

skill-create-pip

v2.0.0

Control Ecovacs/DEEBOT robot vacuums via the Ecovacs IoT API. Use when the user wants to control a robot vacuum, check battery, start/stop/pause cleaning, re...

0· 77·0 current·0 all-time
by@1209823208
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included code and docs. The script implements login, device discovery, and command sending to Ecovacs endpoints (api-app.dc-cn.cn.ecouser.net and device mqs hosts), which is exactly what a robot-control skill should do.
Instruction Scope
SKILL.md instructions align with the python script: login → get devices → send commands. The guidance references only the Ecovacs API, the included files, and a session file (~/.ecovacs_session.json). There are no instructions to read unrelated system files or transmit data to third-party endpoints.
Install Mechanism
No install spec — instruction-only with an included Python script. No downloads from arbitrary URLs or package installs. This is the lowest-risk install model for this functionality.
Credentials
The skill requests no environment variables or external credentials, which is appropriate. It does persistently store phone and password (MD5 or MD5-of-plaintext) and token in ~/.ecovacs_session.json; persisting credentials to a local file is functional but a security/privacy consideration (see user guidance).
Persistence & Privilege
always is false and the skill does not request system-wide changes or modify other skills. Writing a session file under the user's home directory is expected for a client; it does not alter other agent configurations.
Assessment
This skill appears to do what it claims (control Ecovacs vacuums). Before installing: (1) be aware the script stores your phone and password (MD5 or MD5-of-plaintext) plus token in ~/.ecovacs_session.json — protect that file (restrict file permissions) or remove the stored password after login if you prefer. (2) Traffic is sent to Ecovacs endpoints defined in the code; if you require higher assurance, verify those hostnames against official Ecovacs documentation or an official SDK/repo. (3) Because the session file contains credentials, delete or rotate them if you stop using the skill. (4) If you need stricter security, consider running the script in an isolated environment or inspect/modify the code to use a more secure secret store instead of a plaintext session file.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bzrd4d8ts74dwnr61adjdd183kvh3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments