Farmos Observations
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its FarmOS observation purpose, but it uses an undeclared manager JWT and local auth script against a hard-coded HTTP API to read and create farm records.
Install only if you trust the FarmOS API endpoint and the local `farmos-auth.sh` helper. Before use, confirm that the token is least-privileged, that the API transport is protected, and that the agent will show observation details and attachments for approval before creating records.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may act with FarmOS manager authority to read protected observations and create records; if the token or endpoint is mishandled, actions may be attributed to a privileged account.
The skill tells the agent to obtain and use a manager-role JWT for protected FarmOS APIs. This is high-impact account authority, but the registry metadata says there is no primary credential and the artifacts do not show least-privilege scoping.
This skill accesses protected FarmOS endpoints that require a JWT token. ... TOKEN=$(~/clawd/scripts/farmos-auth.sh manager) ... curl -H "Authorization: Bearer $TOKEN" http://100.102.77.110:8008/api/endpoint
Declare the credential requirement, use a least-privileged observation-only token where possible, document exactly what the token can access, and prefer a protected HTTPS or clearly trusted internal transport.
A user cannot verify from this skill package how the JWT is obtained or whether the helper script uses broader credentials.
The skill relies on a local helper script outside the provided file manifest. That helper may be legitimate, but its source, permissions, and behavior are not visible in this instruction-only package.
TOKEN=$(~/clawd/scripts/farmos-auth.sh manager)
Document the helper script’s source and expected behavior, include it in the reviewed package if appropriate, or require a clearly configured external credential provider.
If approved, the agent can add observation records and upload photos to FarmOS.
The skill can perform state-changing API calls and upload selected image files. This is purpose-aligned and the instructions require asking first, but it is still meaningful mutation authority.
POST /api/observations ... Content-Type: multipart/form-data ... `photo` (optional) — Image file attachment ... Proactive observation creation ... Don't create silently — ask first.
Show the proposed observation details, field ID, severity, and attachments before submitting; require explicit user confirmation for each create action.
Farm operational details and field images may be stored or processed by the configured backend.
The skill sends field descriptions, IDs, and optional photos to a hard-coded FarmOS backend. That data flow is disclosed and purpose-aligned, but the artifact does not identify the service owner or transport protections.
API Base http://100.102.77.110:8008 ... Form fields: ... `description` ... `field_id` ... `photo` (optional) — Image file attachment
Verify that the API endpoint is the intended FarmOS service, avoid uploading unintended private files, and document retention and access controls for uploaded observations.
A single logged observation may create additional workflow records beyond the observation itself.
The skill discloses that creating an observation can have downstream effects in other FarmOS-related systems.
Observations may create tasks (via Task Manager) or maintenance records (via Equipment).
Clarify whether downstream tasks or maintenance records are automatic, and ask for separate confirmation before creating those records if they are not purely informational.