DroneMobile
WarnAudited by ClawScan on May 18, 2026.
Overview
This skill appears to control DroneMobile vehicles as advertised, but it can issue real vehicle commands with under-declared credentials and weak target safeguards.
Only install this if you are comfortable giving OpenClaw access to your DroneMobile account and vehicle controls. Configure a specific device key, verify the vehicle before running commands, and consider modifying the script so it fails instead of using the first vehicle when the device key does not match.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A command such as unlock, start, or open trunk could be sent to an unintended vehicle on the account.
If the requested device key is absent or misconfigured, the script continues by selecting the first vehicle instead of failing. Because the same script can run start, stop, lock, unlock, and trunk commands, this creates a real risk of acting on the wrong vehicle.
print(f"WARNING: Device key {device_key} not found — using first vehicle")
return vehicles[0]Fail closed when a device key is provided but not found, and require explicit vehicle selection or confirmation before mutating commands.
Installing the skill requires placing account credentials into the OpenClaw environment, giving the skill authority to control vehicles tied to that account.
The skill requires full DroneMobile account credentials for a vehicle-control service, while the supplied registry metadata says there are no required environment variables and no primary credential. This under-declares a sensitive permission boundary.
Requires DRONEMOBILE_EMAIL and DRONEMOBILE_PASSWORD environment variables. Optionally DRONEMOBILE_DEVICE_KEY for multi-vehicle accounts.
Declare the required credential and environment variables in metadata, prefer scoped tokens if available, and clearly document what account authority the skill receives.
A user may install whatever current version of the package is available and may affect system-managed Python packages.
The dependency is relevant to the skill, but it is installed from PyPI without a pinned version and with an option that can modify the system Python environment.
pip install drone-mobile --break-system-packages
Use a virtual environment or OpenClaw-managed install, pin the package version, and avoid --break-system-packages unless the user understands the impact.