Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
DroneMobile
v0.1.0Control vehicles via DroneMobile (Firstech/Compustar remote start systems). Use when the user asks to start their car, stop the engine, lock/unlock doors, op...
⭐ 0· 217·0 current·0 all-time
byBryan Tegomoh, MD, MPH@bryantegomoh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The script and SKILL.md implement DroneMobile vehicle control (start/stop/lock/unlock/status) which is coherent with the skill name and description. However the registry metadata lists no required environment variables or primary credential while the SKILL.md and script both require DRONEMOBILE_EMAIL and DRONEMOBILE_PASSWORD (and optionally DRONEMOBILE_DEVICE_KEY). This metadata omission is inconsistent and should be corrected by the publisher.
Instruction Scope
Runtime instructions are narrowly scoped to authenticating to DroneMobile and invoking vehicle commands. The SKILL.md does not instruct the agent to read unrelated files or send data to unexpected endpoints; the script uses the drone_mobile client library and prints local status/errors only.
Install Mechanism
There is no install spec in the registry (instruction-only), but SKILL.md recommends 'pip install drone-mobile --break-system-packages'. Relying on a third-party PyPI package is a moderate-risk action and the use of '--break-system-packages' can be problematic in some environments. The package and its source should be verified before installation.
Credentials
The script legitimately needs account credentials (email + password) to control vehicles, which is proportionate to the purpose. However the credential is a plaintext account password stored as environment variables (sensitive) and the registry metadata fails to declare these required env vars. Requiring a password rather than a scoped token raises additional risk; users should prefer least-privilege tokens or OAuth if available and avoid putting long-lived passwords in global config.
Persistence & Privilege
The skill does not request always: true, does not modify other skills or system configs, and is user-invocable. Autonomous invocation is enabled by default (disable-model-invocation is false), which is normal for skills but users should be aware the agent could call it without explicit user re-confirmation.
What to consider before installing
This skill appears to do what it claims (remote-control vehicles) but the publisher omitted required env vars from the registry metadata and asks you to store your DroneMobile account password in environment variables. Before installing: 1) verify the publisher/source (there's no homepage listed) and inspect the drone-mobile package on PyPI/GitHub; 2) prefer using a scoped API token or OAuth if DroneMobile supports it instead of a long-lived account password; 3) do not store credentials in a broadly accessible global config—use a secure secret store or agent-scoped env only; 4) install the drone-mobile package in an isolated virtual environment (avoid --break-system-packages) and review its source; 5) consider requiring manual confirmation for any start/stop/lock actions or restricting the skill to user-invoked only. If the publisher updates the registry metadata (declares DRONEMOBILE_EMAIL and DRONEMOBILE_PASSWORD), provides a homepage/source repo, and documents a token-based auth option, this assessment could be upgraded to benign.Like a lobster shell, security has layers — review code before you run it.
latestvk97dryc26c2nd82z11tj428awx82trh7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.