Farmos Equipment
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: farmos-equipment Version: 1.0.0 The skill bundle is benign. The `SKILL.md` provides extensive, detailed, and imperative instructions for the AI agent on how to interact with users, query internal API endpoints (http://100.102.77.110:8005), log data, and integrate with other OpenClaw skills. All instructions are aligned with the stated purpose of managing farm equipment and lack any evidence of intentional harmful behavior such as data exfiltration, unauthorized command execution, persistence mechanisms, or malicious prompt injection against the agent. While user-controlled input is passed to API endpoints (e.g., `query` for search, `performed_by` for logging), this is for legitimate functionality, and any potential vulnerabilities would reside in the backend API's handling of this input, not in the skill's intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could accidentally record incorrect maintenance completion based on an ambiguous crew report, changing operational records.
This is a state-changing API call that can mark maintenance as completed. The instruction does not require explicit confirmation, preview of the exact payload, or a rollback path.
POST /api/integration/record-completion ... Use this when someone reports maintenance was done.
Require explicit user confirmation before any POST, show the equipment ID and full payload first, and provide a documented correction or undo process.
Anyone or any agent that can reach the endpoint may be able to view or alter farm fleet records without user identity, access control, or audit attribution.
The skill exposes broad fleet read access and maintenance-record mutation through endpoints explicitly described as unauthenticated.
Integration Endpoints (No Auth Required) ... GET /api/integration/equipment ... Returns: All equipment ... POST /api/integration/record-completion
Protect the API with authentication and least-privilege scopes, especially for write endpoints, and log which user authorized each change.
Equipment names, issue descriptions, maintenance queries, and returned fleet data may flow through this fixed endpoint; users need to verify it is their intended FarmOS integration.
The skill directs the agent to a hardcoded plain-HTTP service. The artifact does not identify the service owner or provide a user-configurable endpoint.
API Base http://100.102.77.110:8005
Confirm the endpoint is trusted and reachable only on the intended private network; prefer HTTPS or a documented authenticated private tunnel.
Users have limited independent context for who operates the endpoint or whether it is the intended FarmOS service.
There is no install code to inspect, but the registry metadata does not provide provenance for the skill or its hardcoded integration endpoint.
Source: unknown Homepage: none
Install only if you recognize the owner and endpoint, and request a homepage or source repository documenting the integration.