Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Aika Gps
v1.0.0Retrieve and track technicians' real-time GPS location, find nearest technician, calculate distance and ETA, and create geofences for job monitoring.
⭐ 0· 81·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (real-time GPS, nearest technician, ETA, geofences) match the code and data files: scripts implement login, scraping/tracking, distance/ETA, and an OpenClaw integration layer. The included references/technicians.json and aika_config.json align with the stated functionality.
Instruction Scope
SKILL.md instructs storing Device ID in references/aika_config.json and installing requests/beautifulsoup4 — acceptable for a scraper-based integration — but it claims "ใช้ HTTPS เท่านั้น" (HTTPS only) while the config and technicians.json include http:// alternative endpoints. SKILL.md also states "Password และ session token เก็บแยกใน config file" which is inconsistent with the provided references/aika_config.json that contains a plaintext username/password ("7028888047" / "123456"). These contradictions increase risk and reduce trustworthiness.
Install Mechanism
No external install spec; SKILL.md asks only to pip install requests and beautifulsoup4 (no version pinning). No downloads from arbitrary URLs or archive extraction are present. The skill ships Python scripts which will be executed by the agent — standard but note lack of pinned dependency versions.
Credentials
The skill requests no environment variables or platform credentials, instead bundling authentication creds in references/aika_config.json. Storing plaintext credentials in the skill bundle is disproportionate and risky. Also, the config contains an HTTP alternative endpoint and the technicians.json declares 'web_scraping' as the login method — reasonable but sensitive because it implies storing site credentials and scraping HTML. There are no other unrelated credentials requested.
Persistence & Privilege
always:false and no code attempts to modify other skills or system-wide settings. The integration runs scripts via subprocess which is expected for this kind of skill. Autonomous invocation is allowed by default (not flagged by itself).
What to consider before installing
Key points to consider before installing:
- Sensitive data: This skill tracks real-time locations of personnel — ensure you have legal/organizational consent and data-handling policies in place.
- Plaintext credentials: The repo contains references/aika_config.json with username/password in plaintext ("7028888047" / "123456"). Do NOT keep production credentials in bundled files; move secrets to environment variables or a secret store and remove them from the skill files.
- HTTPS mismatch: SKILL.md claims HTTPS-only but config/technicians.json include http:// fallback URLs. Prefer secure endpoints; avoid using unencrypted HTTP for authentication or location data.
- Verify external endpoint: The scripts communicate with www.aika168.com (and alternative URLs). Confirm that this is the legitimate service you intend to use and audit what data will be sent to that domain.
- Audit and harden: Pin dependency versions, restrict file permissions for config files, and add input/HTML-parsing safeguards. Consider running in demo_mode first and testing with test accounts.
- Deployment choices: If you are uncomfortable with the skill autonomously invoking scripts or accessing network resources, do not enable autonomous invocation or run it in an isolated environment.
If you want, I can provide a checklist and a sanitized version of the config and code that uses environment variables for credentials and forces HTTPS-only.Like a lobster shell, security has layers — review code before you run it.
latestvk970zyafm577dtde2cw3jdbv2983e23j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.