ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sonos Announce

v1.0.4

Play audio on Sonos with intelligent state restoration - pauses streaming, skips Line-In/TV/Bluetooth, resumes everything.

0· 508·3 current·3 all-time
byclawdia & crusta@clawdianova
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the module discovers Sonos devices (soco), pauses/resumes playback, serves audio via an HTTP server and uses ffprobe to measure duration. Required binaries (python3, ffprobe) and the pip dependency (soco) are appropriate for this functionality.
Instruction Scope
The runtime instructions and code stay within the stated purpose, but the module performs system-level actions: starts/stops a local HTTP server, writes a PID file in the module directory, and runs shell commands (lsof, pkill, nohup, netstat/taskkill). It also exposes files via an HTTP server on the LAN (default ~/.local/share/openclaw/media/outbound). These behaviors are expected for streaming to Sonos but are worth noting because they affect local network exposure and process state.
Install Mechanism
There is no remote install/download; the skill is instruction-only and includes its Python module. The only installation step is installing the 'soco' Python package and ensuring ffprobe is available. No external URLs or archive extracts are used.
Credentials
The skill requests no sensitive credentials and only documents two optional environment variables (SONOS_HTTP_HOST, SONOS_HTTP_PORT) used to control the HTTP server host/port. That is proportionate to running a local HTTP server for media. (Note: the port/host values are used in shell commands — if an environment variable were maliciously set in a shared environment it could affect those commands.)
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent config. Its only persistence is a PID file it writes in the module directory and background HTTP server processes it starts/stops — reasonable for the stated purpose.
Assessment
This skill appears to do what it says, but review and accept the practical effects before installing: it will start a local HTTP server that serves media files on your LAN (default directory ~/.local/share/openclaw/media/outbound), create a PID file next to the module, and run shell commands (lsof, pkill, nohup, netstat/taskkill) to manage the server. Ensure you trust the environment because SONOS_HTTP_PORT/SONOS_HTTP_HOST environment variables control binding and are interpolated into shell commands; avoid running it as root and avoid untrusted environment variable values. If you want extra safety, inspect the included sonos_core.py in full, run it in a restricted environment (VM/container), and confirm you are comfortable exposing the chosen media directory on your LAN.

Like a lobster shell, security has layers — review code before you run it.

latestvk971cwcf5y7hay4rxrat5y1k1h81ra9c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔊 Clawdis
Binspython3, ffprobe

Comments