enzoldhazam
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: enzoldhazam Version: 1.0.1 The skill bundle is classified as suspicious due to the installation instructions in `SKILL.md` and `README.md` that require `sudo mv enzoldhazam /usr/local/bin/`. While this is a common practice for installing CLI tools globally, it represents a 'risky capability' or 'broad permission' as it requires elevated privileges. The Go source code itself appears benign, focused on controlling thermostats via `enzoldhazam.hu` and managing credentials securely via environment variables or macOS Keychain, without any other indicators of malicious intent such as data exfiltration, persistence, or prompt injection against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could set an uncomfortable or unintended home temperature.
The included client can change a thermostat target temperature. This is purpose-aligned and SKILL.md requires confirmation, but it is still a device-changing capability.
_ = writer.WriteField("action", "setThermostat") ... _ = writer.WriteField("value", strconv.FormatFloat(temperature, 'f', 1, 64))Only approve temperature changes after checking the room name and target temperature; keep the explicit confirmation requirement.
The installed CLI can authenticate to the user's thermostat account and control registered devices.
The skill needs the user's enzoldhazam.hu account credentials to operate the thermostat. That is expected for this integration, but the registry metadata lists no primary credential or required environment variables.
Login (credentials stored in macOS Keychain): `enzoldhazam login` ... `export ENZOLDHAZAM_USER="your-email"` ... `export ENZOLDHAZAM_PASS="your-password"`
Prefer Keychain storage over long-lived shell environment variables, avoid sharing credentials in chats or logs, and use `enzoldhazam logout` when access is no longer needed.
Installing from an unpinned repository could run different code in the future than what was reviewed here.
Setup asks the user to clone and build a remote repository without a pinned version, then place the binary on the system PATH. This is user-directed and related to the skill, but users should verify the source before installing.
git clone https://github.com/daniel-laszlo/enzoldhazam.git cd enzoldhazam go build -o enzoldhazam ./cmd/enzoldhazam sudo mv enzoldhazam /usr/local/bin/
Review the repository before building, consider pinning a trusted commit or release tag, and avoid `sudo` unless it is necessary for your PATH setup.