ClawHub

enzoldhazam

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI02: Tool Misuse and Exploitation
What this means

If used incorrectly, the agent could set an uncomfortable or unintended home temperature.

Why it was flagged

The included client can change a thermostat target temperature. This is purpose-aligned and SKILL.md requires confirmation, but it is still a device-changing capability.

Skill content
_ = writer.WriteField("action", "setThermostat") ... _ = writer.WriteField("value", strconv.FormatFloat(temperature, 'f', 1, 64))
Recommendation

Only approve temperature changes after checking the room name and target temperature; keep the explicit confirmation requirement.

Note
ASI03: Identity and Privilege Abuse
What this means

The installed CLI can authenticate to the user's thermostat account and control registered devices.

Why it was flagged

The skill needs the user's enzoldhazam.hu account credentials to operate the thermostat. That is expected for this integration, but the registry metadata lists no primary credential or required environment variables.

Skill content
Login (credentials stored in macOS Keychain): `enzoldhazam login` ... `export ENZOLDHAZAM_USER="your-email"` ... `export ENZOLDHAZAM_PASS="your-password"`
Recommendation

Prefer Keychain storage over long-lived shell environment variables, avoid sharing credentials in chats or logs, and use `enzoldhazam logout` when access is no longer needed.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing from an unpinned repository could run different code in the future than what was reviewed here.

Why it was flagged

Setup asks the user to clone and build a remote repository without a pinned version, then place the binary on the system PATH. This is user-directed and related to the skill, but users should verify the source before installing.

Skill content
git clone https://github.com/daniel-laszlo/enzoldhazam.git
cd enzoldhazam
go build -o enzoldhazam ./cmd/enzoldhazam
sudo mv enzoldhazam /usr/local/bin/
Recommendation

Review the repository before building, consider pinning a trusted commit or release tag, and avoid `sudo` unless it is necessary for your PATH setup.