ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

dokidoki

Control interactive BLE devices (scan/connect/playback/timeline) from terminal.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 33 · 0 current installs · 0 all-time installs
bytryjoy@LovappenCava
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (control BLE devices via a CLI) align with the declared binary requirement ('doki') and the SKILL.md commands. It also reasonably documents Node.js, audio tool, and BLE requirements. However, the registry metadata (owner ID/version) differs from the _meta.json owner/version embedded in the files, which is inconsistent with the stated origin.
Instruction Scope
SKILL.md only instructs running the 'doki' CLI, describes commands, timeline format, playback, and daemon management. It does not ask the agent to read unrelated files, exfiltrate data, or call external endpoints. It does note the log path (/tmp/dokidoki.log), which is expected for a CLI.
!
Install Mechanism
The registry record lists no install spec, but SKILL.md includes metadata recommending installing @tryjoy/dokidoki via npm (global). Installing a global npm package from an unverified publisher is a moderate-risk install mechanism. The install instruction appears only inside SKILL.md metadata rather than as an explicit registry install spec, which is an inconsistency that should be resolved before trusting the package.
Credentials
No environment variables or credentials are requested. The tool's requirements (Node.js, BLE, optional ffplay/afplay) are proportional to the stated functionality.
Persistence & Privilege
The skill does not request always:true, has no declared persistent privileges, and does not instruct altering other skills or system-wide settings. It will run the doki binary and write logs to /tmp/dokidoki.log as expected.
What to consider before installing
This skill appears to do what it says (run the 'doki' CLI to control BLE devices), but there are some provenance and install risks to consider before installing: - Confirm the package source: SKILL.md recommends installing @tryjoy/dokidoki via npm, but the registry metadata and the _meta.json owner/version do not match. Verify the npm package owner (@tryjoy) and inspect the package contents on the npm registry (or prefer installing from a known GitHub release) before running a global install. - Avoid blind global npm installs from unknown maintainers. If you need to test, install in a sandbox/container or use a limited account and inspect the 'doki' binary script for unexpected behavior. - Check the CLI's behavior with Bluetooth: it will require BLE access and may start a background daemon. Ensure you understand and are comfortable granting BLE permissions on your system. - Look at the package's logging: it writes to /tmp/dokidoki.log. Confirm no sensitive data is being logged and that logs are rotated/cleared as needed. If the publisher and npm package provenance check out (trusted publisher, readable package source, matching metadata), the skill is coherent and likely safe to use. If you cannot verify the package source or owner mismatch remains unresolved, avoid installing or run it in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk975enrpwyvd2rqqgk3e8f6c1x830e5v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎮 Clawdis
Binsdoki

SKILL.md

DokiDoki CLI

Use doki to control interactive BLE devices from the terminal.

Quick Start

  • doki scan - Scan for BLE devices (auto-starts daemon)
  • doki connect DK-META2 - Connect to device (auto-starts daemon)

Common Tasks

Daemon Management

  • doki start - Start background daemon
  • doki stop - Stop background daemon
  • doki status - Check daemon and connection status

Device Connection

  • doki scan - Scan for BLE devices
  • doki connect [name] - Connect to device (default: DK-META2)
  • doki disconnect - Disconnect from device

Timeline Playback

  • doki player play [audio] <timeline.json> - Play timeline with optional audio sync
  • doki player pause - Pause playback (stops device)
  • doki player resume - Resume playback

Direct Device Control

  • doki action linear 50 - Set linear to 50%
  • doki action rotary -30 - Set rotary to -30 (reverse)
  • doki action vibration 80 - Set vibration to 80%
  • doki action pause - Immediately stop all device actions

Timeline Format

Timeline files are JSON files defining device actions at specific timestamps:

{
  "duration": 180.5,
  "actions": [
    {"timestamp": 0.0, "type": "VIBRATION", "value": 50},
    {"timestamp": 5.5, "type": "LINEAR", "value": 30},
    {"timestamp": 10.0, "type": "ROTARY", "value": -50}
  ]
}

Action Types

TypeValue RangeDescription
LINEAR0-100Linear/stroke motion intensity
ROTARY-100 to 100Rotation speed (negative=reverse)
VIBRATION0-100Vibration intensity

Notes

  • Requires Node.js 18+ and Bluetooth Low Energy (BLE) support
  • Supported audio formats: MP3, AAC/M4A, WAV, FLAC, OGG, AIFF
  • Audio playback requires ffplay (Linux/Windows) or afplay (macOS)
  • Logs are written to /tmp/dokidoki.log

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…