Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cinmoore Skill Devices
v1.0.0神眸智能设备控制技能:整合设备控制、视频录制、事件查询、VLM分析等原子能力,支持AI意图理解与自动化组合。Invoke when user wants to control devices, analyze video, query events, or understand device capabilities.
⭐ 0· 44·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description (device control, video recording, VLM analysis) matches the CLI commands in SKILL.md. However the skill metadata declares no required environment variables or credentials, while the README and SKILL.md clearly expect a .env file containing SDK credentials, LLM/VLM API keys, and user/password. That mismatch (no declared env but instructions requiring multiple secrets) is inconsistent and unexplained.
Instruction Scope
The SKILL.md instructs agents to download and only interact with a compiled executable for all operations and explicitly forbids inspecting its contents ("绝对不可" view the binary). It also directs creation/use of a .env file with many credentials. The instructions thus grant the binary broad access and attempt to prevent transparency or review — scope exceeds a simple CLI mapping and prevents independent verification.
Install Mechanism
Install steps (in openclaw.install) download platform-specific executables and FFmpeg from an Alibaba OSS bucket (super-acme-shoot-sh.oss-cn-shanghai.aliyuncs.com) and write them to disk. This is a high-risk pattern: arbitrary compiled code fetched from a third-party URL with no published checksums or provenance. No standard package/release host (GitHub release, official vendor) or signature is provided.
Credentials
Although the registry lists no required env vars, the README/.env template expects many sensitive values (SDK_APP_KEY/SECRET, SDK_USERNAME/PASSWORD, LLM_API_KEY, model endpoints). Requesting these secrets could be legitimate for LLM/VLM and device SDKs, but the skill fails to declare them in metadata and gives no justification for storing username/password alongside API keys. The combination of undeclared secrets + opaque binary is disproportionate.
Persistence & Privilege
always is false and the skill doesn't declare system-wide changes. The install writes binaries and a .env file into the working directory and claims it will register a global command (README), but the provided install commands only download files locally. Still, the binary could later persist or call home; the SKILL.md warning not to inspect the binary is an additional operational control that increases risk.
What to consider before installing
This skill raises several red flags you should consider before installing: it downloads and runs a closed-source executable from a third-party OSS URL (no checksums or signatures), asks you to store many sensitive credentials (API keys, username/password) even though the registry metadata lists none, and explicitly forbids inspecting the binary — which prevents auditing. If you need this functionality, prefer a vendor-signed release or published source code, ask for cryptographic checksums and a verifiable release host (e.g., GitHub Releases or vendor site), and insist on minimal required credentials. If you must test it: run it in an isolated sandbox or VM with no access to other sensitive systems or corporate credentials, monitor outbound network connections, and do not place real API keys or passwords in .env (use test accounts). Request from the publisher: (1) source code or reproducible build instructions, (2) signed binaries with checksums, (3) an explanation why credentials are required and which exact values are mandatory, and (4) confirmation that the local homepage (192.168.8.60) and the OSS download URLs are legitimate for your environment. Providing these will increase confidence and could change the assessment.Like a lobster shell, security has layers — review code before you run it.
latestvk97anfwe71xg9q67dbb6gkqctx84d21h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏠 Clawdis