Farmos Equipment
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent for farm equipment management, but it can read and change fleet maintenance records through a hardcoded unauthenticated HTTP API without clear confirmation or rollback.
Before installing, verify that 100.102.77.110:8005 is your intended FarmOS equipment service. Use extra caution with requests that log hours or mark maintenance complete; ask the agent to show the exact change and get your approval before it sends any POST request.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could accidentally record incorrect maintenance completion based on an ambiguous crew report, changing operational records.
This is a state-changing API call that can mark maintenance as completed. The instruction does not require explicit confirmation, preview of the exact payload, or a rollback path.
POST /api/integration/record-completion ... Use this when someone reports maintenance was done.
Require explicit user confirmation before any POST, show the equipment ID and full payload first, and provide a documented correction or undo process.
Anyone or any agent that can reach the endpoint may be able to view or alter farm fleet records without user identity, access control, or audit attribution.
The skill exposes broad fleet read access and maintenance-record mutation through endpoints explicitly described as unauthenticated.
Integration Endpoints (No Auth Required) ... GET /api/integration/equipment ... Returns: All equipment ... POST /api/integration/record-completion
Protect the API with authentication and least-privilege scopes, especially for write endpoints, and log which user authorized each change.
Equipment names, issue descriptions, maintenance queries, and returned fleet data may flow through this fixed endpoint; users need to verify it is their intended FarmOS integration.
The skill directs the agent to a hardcoded plain-HTTP service. The artifact does not identify the service owner or provide a user-configurable endpoint.
API Base http://100.102.77.110:8005
Confirm the endpoint is trusted and reachable only on the intended private network; prefer HTTPS or a documented authenticated private tunnel.
Users have limited independent context for who operates the endpoint or whether it is the intended FarmOS service.
There is no install code to inspect, but the registry metadata does not provide provenance for the skill or its hardcoded integration endpoint.
Source: unknown Homepage: none
Install only if you recognize the owner and endpoint, and request a homepage or source repository documenting the integration.