Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ESP-IDF Helper
v1.1.0Help develop, build, flash, and debug ESP32/ESP8266 firmware using Espressif ESP-IDF on Linux/WSL. Use when the user asks about ESP-IDF project setup, config...
⭐ 0· 682·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's code and SKILL.md are consistent with an ESP-IDF helper: it runs idf.py, packages firmware, and helps attach USB serial devices in WSL. However the registry metadata at the top of the submission lists no required binaries/env vars while the embedded SKILL.md explicitly requires idf.py and IDF_PATH — this mismatch is an inconsistency to be aware of.
Instruction Scope
Instructions and scripts stay within the stated purpose (build, flash, monitor, package firmware, and attach USB devices). Notable behaviors: usbipd_attach_serial.sh invokes powershell.exe to run usbipd on Windows and may call usbipd bind/attach (requires admin on Windows); pack_firmware.sh extracts MAC addresses from flash logs and writes mac_addresses.txt into the package. No instructions upload data to external endpoints.
Install Mechanism
No install spec; this is an instruction-only skill with included local scripts. Nothing is downloaded or extracted from external URLs by the skill itself, which minimizes install-time risk.
Credentials
The SKILL.md expects IDF_PATH and idf.py (reasonable and proportionate for ESP-IDF work). The registry metadata showed no required env/bins, which is inconsistent. The scripts also reference Windows system paths (/mnt/c/Windows/*) for PowerShell when used under WSL, and will write local files (e.g., mac_addresses.txt, temporary logs). No unrelated credentials or secret environment variables are requested.
Persistence & Privilege
The skill is not force-included (always:false) and does not request elevated platform privileges. It does run usbipd bind/attach which may require Windows admin rights to bind devices, and SKILL.md suggests adding Windows paths to ~/.bashrc (user action). The skill does not modify other skills or global agent configs.
Assessment
This appears to be a legitimate ESP-IDF helper that ships helpful scripts for building, flashing, packaging firmware and for attaching USB serial devices in WSL. Before installing/running: 1) Verify you have idf.py available and set IDF_PATH (SKILL.md expects these even though registry metadata omitted them). 2) Inspect the included scripts (usbipd_attach_serial.sh and pack_firmware.sh) yourself — they run powershell.exe/usbipd on Windows and will perform usbipd bind/attach (may require admin), and pack_firmware.sh extracts MAC addresses from flash logs and writes mac_addresses.txt into the package. 3) Be comfortable granting local device access and (on Windows) admin operations if you run the usbipd script. 4) If you don't want MACs recorded, review/modify the pack script before use. The main risk is operational (device binds, admin prompts), not network exfiltration; the metadata mismatch reduces confidence—ask the publisher to correct registry metadata or provide provenance if you need higher assurance.Like a lobster shell, security has layers — review code before you run it.
latestvk971gmt44rrqg7h4t73zkstn4d84wdq6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.