ClawHub

aida

v1.0.0

Conversational interface for AIDA to get building status, control devices, optimize objectives, and run diagnostics via secure REST APIs.

1· 2k·1 current·1 all-time
by@ak-khalis
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md and the code both implement an AIDA building-management integration (status, control, optimize, diagnostics) which is coherent with the skill name. However the registry metadata lacked a description and did not declare any required credentials or env vars, while the code clearly expects AIDA_API_URL and AIDA_API_KEY.
!
Instruction Scope
The runtime instructions say calls are authenticated via a bearer token and expect REST endpoints; they do not name the exact environment variables or say how the token is supplied. The code actually reads process.env.AIDA_API_URL and process.env.AIDA_API_KEY — the missing declaration is scope creep/omission and could lead to surprising secret access if the operator sets those env vars globally.
Install Mechanism
There is no install spec (instruction-only), but the package.json lists a single dependency (node-fetch). This is lightweight and expected for a JS HTTP client; the lack of an install step means runtime dependency resolution/packaging is up to the platform and should be verified.
!
Credentials
The code requires two environment values (AIDA_API_URL and AIDA_API_KEY) but the skill registry metadata declares no required env or primary credential. Requesting a bearer token for API access is reasonable for this purpose, but the omission of these env vars from the metadata is inconsistent and increases risk of accidental secret exposure or misconfiguration.
Persistence & Privilege
The skill is not always-enabled and uses the platform default of allowing autonomous invocation; it does not request persistent system-level privileges or modify other skills. No unusual persistence or privilege escalation was observed.
What to consider before installing
This skill implements HTTP calls to an AIDA API and requires two environment variables (AIDA_API_URL and AIDA_API_KEY), but the registry metadata and SKILL.md do not declare those names — a mismatch you should resolve before installing. Before you proceed: (1) verify and update the SKILL.md/manifest to list required env vars and intended endpoint(s); (2) ensure AIDA_API_URL points to a trusted internal HTTPS endpoint (not an arbitrary public server); (3) store the API key securely (do not put it in a broadly-scoped env if other skills/processes can read it); (4) review the included index.js yourself (it only performs simple fetch calls) and confirm you trust the package owner; (5) confirm how your OpenClaw runtime will install node dependencies. If you cannot confirm the intended AIDA host and secure handling of the API key, do not install or run the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk979pct33pdcfzmnyetcta6cwn80dbaz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments