cmaiot-basic-general-kit
v1.0.2查询并控制cmaiot平台上的产品和设备,并可获取视频设备的播放地址。cmaiot平台的正式名称是中国移动AIoT平台。连接需要的产品API Key和产品ID由cmaiot工具保存。目前只支持使用物模型的设备。
⭐ 0· 27·0 current·0 all-time
by@ch2925
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name, description, SKILL.md and the included scripts/cmaiot.js all target the China Mobile AIoT/OneNet APIs (base URL iot-api.heclouds.com). The commands implemented (add, ls, model, detail, live, call, set, enable/disable) align with the stated purpose of querying and controlling products/devices and obtaining video addresses. No unrelated services, binaries, or credentials are requested.
Instruction Scope
SKILL.md explicitly requires invoking scripts/cmaiot.js for every device query (no caching) and documents the CLI usage. The runtime instructions do not instruct reading unrelated system files or other credentials. Note: the script logs full request/response bodies to stdout and stores product access keys in a local config.json inside the SKILL directory (plaintext). These behaviors are coherent with the skill's function but have privacy implications (sensitive device data and access keys may appear in logs or on disk).
Install Mechanism
This is an instruction-only skill with one included JS script and no installation spec. Nothing is downloaded from external URLs or written to system locations by an installer. The risk surface from installation is low; the only file writes come from the script's runtime behavior (creating config.json).
Credentials
The skill requests no environment variables or external credentials up front; instead it expects the user to run 'add productId/accessKey' and stores those accessKeys in a local config.json. That is proportional to the stated purpose, but storing access keys in plaintext and printing API responses to console are privacy/security considerations the user should be aware of.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It does persist product credentials to a local config.json in the skill directory (its own state), which is normal for this type of CLI helper.
Assessment
This skill appears to do what it says (wrap OneNet / China Mobile AIoT APIs). Before installing or using it: 1) Treat the product accessKey like a secret — the script stores it in plaintext in SKILL_DIR/scripts/config.json, so ensure that directory is protected and rotate keys if needed. 2) Be aware the script logs full request and response bodies to stdout (these may include device identifiers, statuses, or tokens), so avoid running it in logs you don't trust. 3) Confirm you trust the skill source before adding real production credentials. 4) If you need stronger protections, avoid storing long-lived keys here or modify the script to encrypt keys / reduce logging. If you'd like, I can propose a small patch to avoid printing full responses or to encrypt the config file.scripts/cmaiot.js:17
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
📟 Clawdis
latest
Commands
Add Token
scripts/cmaiot.js add productId/accessKey
Query or set data
以下命令中的部分参数使用/分隔,每个参数均为必传
# 列出已添加的产品
# 如果没有已添加的产品,需要询问用户产品ID和访问密钥
scripts/cmaiot.js ls
# 查询物模型 identifier为标识符
# services 为平台可以远程调用的服务
# events 为设备可能会主动触发的事件
# properties 为设备属性,可主动上报也可下发命令
scripts/cmaiot.js model productId
# 查询设备列表
scripts/cmaiot.js ls productId
# 读取设备属性
scripts/cmaiot.js ls productId/deviceName
# 查询设备详情
# 可以查询视频设备的Sn
scripts/cmaiot.js detail productId/deviceName
# 获取视频设备的直播地址
# 注意有3个参数,用/分隔
scripts/cmaiot.js live productId/deviceName/deviceSn
# 调用设备服务
# serviceId和identifier 需要通过查询物模型获取
scripts/cmaiot.js call productId/deviceName/serviceId '{"identifier":"value"}'
# 设置设备属性
# identifier 需要通过查询物模型获取
scripts/cmaiot.js set productId/deviceName '{"identifier":"string"}'
scripts/cmaiot.js set productId/deviceName '{"intValue": 20}'
# 设备启/停, LwM2M设备需要IMEI
scripts/cmaiot.js enable productId/deviceName
scripts/cmaiot.js disable productId/deviceName/imeiValue
Notes
每次用户询问cmaiot设备状态时,都需要调用SKILL目录下的scripts/cmaiot.js工具进行查询,不能使用缓存的结果
Exception
设置属性和调用服务是同步接口,需要设备在线。但启用/停用设备不需要设备在线。 对离线或不存在的设备,应该跳过操作。设备控制超时,则认为操作失败。
Output Format
涉及OneNET的回答要严格按照以下格式输出
中国移动AIoT平台
🔍 正在解析指令...
✅ 识别设备:设备A、设备B、设备C
🎯 目标状态:停用
📡 获取设备状态...
• 设备A:在线 ✓
• 设备B:在线 ✓
• 设备C:离线 ✗
⚙️ 执行XX操作...
• 设备A:XX成功 ✓
• 设备B:XX成功 ✓
• 设备C:跳过(离线状态)⏭️
📊 执行结果统计:
━━━━━━━━━━━━━━━━━━
✅ 成功:2个设备
⏭️ 跳过:1个设备(设备C-离线)
❌ 失败:0个设备
━━━━━━━━━━━━━━━━━━
Comments
Loading comments...