ClawHub

Closeli Open Device Event Query

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed device-event query skill that handles sensitive camera/event credentials, so it is usable but should only be installed in a trusted OpenClaw environment.

Install only if you trust the publisher and need Closeli device-event querying. Use a least-privilege API key, keep ~/.openclaw/.env restricted, verify AI_GATEWAY_HOST points to the expected trusted service, keep TLS verification enabled, and avoid passing API keys on the command line.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Vague Triggers

Medium
Confidence
74% confidence
Finding
The skill advertises very broad natural-language triggers such as asking whether anyone was detected or where a pet went, which could cause an agent to invoke the skill on ambiguous user messages. In a surveillance/event-query context, unintended activation can expose sensitive device metadata, images, or event summaries without sufficiently explicit user intent.

Credential Access

High
Category
Privilege Escalation
Content
def get_api_host(env_vars):
    """
    获取网关地址:~/.openclaw/.env 中的 AI_GATEWAY_HOST,未配置则用默认值。
    """
    host = env_vars.get("AI_GATEWAY_HOST")
    return host.rstrip("/") if host else DEFAULT_API_HOST
Confidence
82% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def get_verify_ssl(env_vars):
    """
    判断是否启用 TLS 证书验证。默认启用。
    仅当 ~/.openclaw/.env 中显式设置 AI_GATEWAY_VERIFY_SSL=false 时禁用(仅开发环境)。
    """
    val = env_vars.get("AI_GATEWAY_VERIFY_SSL", "true").lower()
    return val not in ("false", "0", "no")
Confidence
86% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def main():
    parser = argparse.ArgumentParser(description="查询设备事件")
    parser.add_argument("--api-key", help="API Key 临时覆盖;持久化请写到 ~/.openclaw/.env")
    parser.add_argument("--device-ids", required=True, help="设备 ID 列表,逗号分隔")
    parser.add_argument("--start-date", required=True, help="开始日期,格式 yyyy-MM-dd")
    parser.add_argument("--end-date", required=True, help="结束日期,格式 yyyy-MM-dd")
Confidence
77% confidence
Finding
.env"

Unsafe Defaults

Medium
Category
Tool Misuse
Content
def get_verify_ssl(env_vars):
    """
    判断是否启用 TLS 证书验证。默认启用。
    仅当 ~/.openclaw/.env 中显式设置 AI_GATEWAY_VERIFY_SSL=false 时禁用(仅开发环境)。
    """
    val = env_vars.get("AI_GATEWAY_VERIFY_SSL", "true").lower()
    return val not in ("false", "0", "no")
Confidence
93% confidence
Finding
VERIFY_SSL=false

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal