Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
HiLink LTE Modem
v1.0.0Control Huawei HiLink USB LTE modems (E3372, E8372, etc.) via REST API. Send/receive SMS, check signal strength, manage SIM PIN, query prepaid balance, and m...
⭐ 0· 267·0 current·0 all-time
by@and0r-
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description align with the included shell script and the documented HiLink API; the actions (SMS, PIN, signal, network setup) are coherent with a modem-management tool. However, the package metadata declares no required binaries while the script clearly depends on curl, python3, ip, sudo, grep/sed/awk, and ping — a discrepancy to be aware of.
Instruction Scope
Runtime instructions and the script direct the agent/user to modify network interfaces, create udev rules, edit /etc/network files, run sudo ip/route commands, and source ~/.config/hilink/config. Sourcing the config file executes any shell content inside it (not limited to simple variable assignments), which is a direct code-execution risk if the file is untrusted or tampered with. The skill only targets the local modem API (no external endpoints), but it has broad discretion over system networking.
Install Mechanism
There is no install spec (instruction-only plus an included script), which is low risk for arbitrary remote downloads. But because a runnable script is included and it relies on several external binaries, the omission of dependency declarations is a packaging/information gap that could surprise users at runtime.
Credentials
No credentials are requested by the registry metadata, which matches the local-only nature of the modem API. However, the skill reads/sources a local config (~/.config/hilink/config) that may include HILINK_PIN (SIM PIN) in plaintext — this is sensitive. More importantly, sourcing the config runs any shell code present, so the skill can effectively execute arbitrary content from a user-writable path, which is disproportionate if the intended purpose is only to read a few variables.
Persistence & Privilege
The skill suggests persistent system changes (udev rule, /etc/network/interfaces.d entry) and issues privileged commands (sudo ip addr/route modification). These actions are consistent with a modem manager but require elevated privileges and will affect system networking; users should be aware and review/approve such changes explicitly before running.
What to consider before installing
This skill does what it says (manage Huawei HiLink modems) but requires elevated network privileges and has two practical risks: (1) it sources ~/.config/hilink/config which will execute any shell code in that file — only use a config that contains simple variable assignments and inspect it before running; (2) the included script expects tools (curl, python3, ip, sudo, ping, grep, sed) that the registry metadata doesn't declare. Before installing: inspect scripts/hilink.sh fully, don't place sensitive credentials/PINs in an unprotected file, run first in an isolated VM or container, and be prepared to review/undo udev and /etc/network changes. If you don't want the script to modify system networking, avoid running the parts that call sudo or require creating udev rules.Like a lobster shell, security has layers — review code before you run it.
latestvk971s8j3jxxj3jp5h5pacp4vc982g4y7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.