ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vector Control

v1.0.1

Control a Vector robot via Wirepod’s local HTTP API on the same network. Use when you need to move Vector, tilt head/lift, speak text, capture camera frames, or run patrol/explore routines from the Pi/Wirepod host. Includes a CLI helper script and endpoint reference.

2· 1.8k·3 current·3 all-time
by@dbeadle1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description align with the included script and API reference: it implements movement, speech, camera snapshot, patrol/explore, and audio playback via Wirepod HTTP endpoints. One minor mismatch: the script invokes ffmpeg to convert audio but the SKILL.md / registry metadata do not declare ffmpeg or any required binary dependency.
Instruction Scope
SKILL.md instructs the agent/user to run the bundled CLI script and to use local Wirepod endpoints (default base http://localhost:8080). The script itself reads only user-supplied audio files and writes temporary WAVs to /tmp, and uses the Wirepod API. It does allow overriding --base to any URL, which could direct requests (including audio uploads) to a remote host if misused — the documentation expects same-network/local usage but does not enforce it.
Install Mechanism
There is no install spec (instruction-only plus a script), so nothing will be automatically downloaded or written by an installer. This is low-risk. Note: runtime dependency on ffmpeg is present but not declared; ffmpeg must be available on PATH for audio playback to work.
Credentials
The skill does not request any environment variables, credentials, or configuration paths. The SKILL.md references a local file path where an ESN may be found (/etc/wire-pod/.../botSdkInfo.json), but the script does not automatically read arbitrary system credentials. File I/O is limited to user-specified audio files and temporary /tmp files.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges or attempt to modify other skills or system-wide agent settings. It runs as a user-invoked CLI and performs network calls only to the configured base URL.
Assessment
This skill appears to do what it says: control a Vector robot over the local Wirepod HTTP API. Before installing/using it: (1) Ensure ffmpeg is installed on the host (the script calls ffmpeg but the skill metadata doesn't declare it). (2) Run the script on a trusted local network — the --base argument can point the script to any URL, so avoid directing it to untrusted external hosts (this would let audio or control commands go off-network). (3) When using the play command, only provide audio files you trust; the script reads them and writes a temporary WAV in /tmp which it removes afterwards. (4) Optionally inspect the script yourself (it's included) to confirm behavior before use. If you need the skill to be restricted to localhost only, consider modifying the script to enforce base='http://localhost:8080' or validating --base at runtime.

Like a lobster shell, security has layers — review code before you run it.

latestvk975s10sddp22zfhgyvn6278k180fdw3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments