ratgdo32 disco
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ratgdo32-disco Version: 1.0.1 The skill bundle provides a legitimate interface for controlling a ratgdo32 garage door opener via its local REST API. The helper script (scripts/garage.sh) implements standard functionality for status retrieval and door control, including safety checks for obstructions and current door state. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A failed or invalid status check could still result in the agent sending a garage-door close command, undermining the stated obstruction/status safety rule.
The close path reads status and parses JSON, but it does not check that curl succeeded or that the JSON parse succeeded before calling the control function. If status is empty, malformed, or missing expected fields, the bash script can continue and send a close command instead of aborting.
json=$(curl -s --connect-timeout 5 "${BASE}/status.json") ... obstructed=$(echo "$json" | python3 -c "import json,sys; print(json.load(sys.stdin).get('garageObstructed', False))") ... control "garageDoorState" "0" "Closing door"Update the helper script to fail closed: verify curl exit status, HTTP success, non-empty valid JSON, and explicit obstruction/state values before sending any open or close command.
If the device is exposed beyond a trusted LAN, or if RATGDO_HOST points to the wrong host, commands could affect a physical garage door without another authentication step.
The skill discloses that access is controlled by LAN reachability rather than a separate credential. That is expected for this device integration, but it means any agent or host that can reach the configured device may be able to operate it.
The ratgdo32 disco uses a **local network trust model**. The device's web API is only accessible from your LAN
Keep the device on a trusted network or VLAN, do not port-forward it, and set RATGDO_HOST explicitly to the intended device.
Users may not realize from the registry metadata that setup requires an environment variable pointing to the garage device.
The helper script requires RATGDO_HOST, while the supplied registry requirements say there are no required environment variables. This is a metadata/setup gap, not hidden malicious behavior.
HOST="${RATGDO_HOST:?Set RATGDO_HOST to your ratgdo32 IP or hostname}"Declare RATGDO_HOST in the skill metadata and ensure users configure it deliberately before use.