Skillv1.0.0

ClawScan security

华米(Zepp/原小米)运动刷步数 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 20, 2026, 12:00 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files, dependencies, and runtime instructions are consistent with its stated purpose (automatically submitting step counts to Huami/Zepp accounts), but it requires users to provide plaintext credentials and contains some obfuscated/encoded payloads that should be audited before use.
Guidance: This skill implements exactly what it claims (automatically submitting steps), but it requires you to provide real account usernames and passwords and stores them in config.json in plaintext. Before installing or running it: (1) review the scripts yourself — especially the large encoded payload in huami.py — to ensure there is no unexpected network/callback behavior; (2) avoid using your primary accounts (use a throwaway/test account); (3) set strict file permissions (chmod 600 config.json) and run on an isolated/local machine if possible; (4) be aware that automating step submissions may violate Huami/Zepp terms of service and could lead to account action; (5) if you plan to use cron, understand that it will run autonomously with stored credentials; and (6) if you are uncomfortable auditing the code, do not provide real credentials.
Findings: [base64-block] unexpected: A large encoded/obfuscated blob appears in scripts/huami.py (the long URL-encoded/encoded string used as part of the step submission payload). While embedding encoded payloads may be part of how the submission is formed, opaque long blobs deserve manual review to ensure they do not contain hidden exfiltration or malicious callbacks. The pre-scan flagged a base64-like block in SKILL.md metadata, but the large encoded data is actually in huami.py.

Review Dimensions

Purpose & Capability: okName/description match what the code does: Python scripts that log in to Zepp/Huami APIs and submit step data. Declared binaries and Python packages (requests, pycryptodome) are appropriate for network calls and AES usage in the code. No unrelated cloud credentials or services are requested.
Instruction Scope: noteSKILL.md explicitly instructs the agent to collect account usernames and passwords and store them in config.json, then run the bundled scripts and optionally create cron jobs. That is within the functional scope but is sensitive: it instructs collection and local storage of plaintext credentials and points users to third-party testing sites. The instructions do not ask the agent to exfiltrate data to unexpected endpoints, but they do grant broad discretion to prompt the user for credentials and schedule automated runs.
Install Mechanism: okNo install spec or external download; the skill ships code files and is executed with python3. No remote installers or archive extracts are used, which reduces supply-chain risk.
Credentials: noteThe skill requests no platform env vars or injected credentials. It does rely on user-supplied account credentials (username/password) which are necessary for its purpose but are stored in plaintext in config.json (SKILL.md also warns about this). The code optionally reads USE_FAKE_IP from the environment although that env var is not declared in metadata — minor mismatch. Hardcoded AES key/IV are present in code (used to format the login payload).
Persistence & Privilege: okSkill is not always-enabled, does not request elevated or persistent platform privileges, and does not modify other skills or system-wide agent settings. It does instruct creating cron jobs only if the user asks, which is a normal user-controlled action.