Capital Equipment Network (CapNetEq)
v1.0.0Search, book, and manage scientific research equipment across 500+ facilities, track usage, submit service requests, and find collaborators securely.
⭐ 0· 309·0 current·0 all-time
byFrancesco Piscani@cesco345
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The described capabilities (search, book, submit requests, OAuth) logically require an external service and authentication. However the registry metadata declares no required credentials or config paths while SKILL.md explicitly references OAuth 2.1 and instructs adding an SSE endpoint. That mismatch (no declared creds but an OAuth flow implied) and the unknown source/homepage are concerning.
Instruction Scope
Runtime instructions tell the agent owner to add an external Server-Sent Events endpoint to OpenClaw's config and rely on platform tools (search_equipment, get_pricing, etc.). Automations explicitly instruct the agent to read persistent memory (saved searches, previous scout results) and to proactively send notifications to user channels. The SKILL.md does not limit or detail what data the external SSE server may receive or request, nor how OAuth tokens are obtained or stored.
Install Mechanism
There is no install spec and no code files that would be written to disk. Being instruction-only reduces supply-chain risk because nothing is automatically downloaded or executed locally.
Credentials
The skill implies the need for OAuth credentials and access to notification channels but the manifest declares no required environment variables or primary credential. The SSE URL provided points to a 'capital-equipment-dev.cloudfunctions.net' domain (a developer/test host), which is unexpected for a production-grade marketplace and raises proportionality/trust concerns.
Persistence & Privilege
Automations in AUTOMATIONS.md are designed to run periodically (cron/heartbeat) and use OpenClaw persistent memory and notification channels to proactively push updates. The skill also instructs modifying the agent config to add an external SSE server. Persistent/background activity plus an external push endpoint increases the blast radius if the endpoint or the automation prompts are malicious or misconfigured.
What to consider before installing
Do not add the SSE endpoint or enable automations until you verify a few things: (1) who operates this skill (official homepage or organization), (2) confirm a production-grade endpoint (not a '...-dev.cloudfunctions.net' URL) and request an explanation of what data the SSE stream will receive and what it may trigger, (3) ask for the OAuth flow details — what client id/secret are required, where tokens are stored, and whether the skill will request scopes beyond booking/searching, (4) ask how notifications are delivered to WhatsApp/Slack/Discord and whether those integrations require additional tokens you must provide, (5) request the full list of agent tools the skill expects (search_equipment, get_pricing, etc.) and proof they exist on your OpenClaw instance, and (6) prefer a verifiable open-source or vendor-provided package/homepage before enabling proactive automations. If you cannot get satisfactory answers or the endpoint remains a dev host, treat this skill as untrusted and avoid enabling it or adding the SSE server entry.Like a lobster shell, security has layers — review code before you run it.
latestvk978ypqj44gh76dze6j08bwq4x821sp7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.