Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Devin_dingcheng
v1.0.0读取橙丁物联液位传感器设备状态。使用场景:(1)查询液位传感器在线状态 (2)获取设备开关状态 (3)定时监控液位设备。需要提前配置 key、tel、imei 参数。
⭐ 0· 334·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included behavior: the SKILL.md and script call https://www.cd6969.com/admin.php?s=/Admin/ApiV2/getList.html to retrieve device status. However the skill metadata declares no required binaries or env vars while the script requires curl and jq and the README instructs the user to configure key/tel/imei — these deployment requirements are not declared in the registry metadata.
Instruction Scope
Runtime instructions and the script instruct you to place secrets (KEY, TEL, IMEI) directly in scripts (plaintext). The script posts key and tel to an external endpoint and parses the response with jq. The instructions do not recommend secure handling of credentials, nor do they offer alternative (env vars or prompts). While the network call is expected for this purpose, asking users to hard-code private values into a file broadens risk.
Install Mechanism
No install spec (instruction-only) which minimizes installation risk. However the script depends on runtime tools (curl, jq) but the skill metadata did not declare them; that mismatch is a procedural omission that could lead users to run missing/unknown binaries.
Credentials
The skill only needs device-specific values (key, phone, imei) which are proportionate to its purpose, but it does not declare them as required environment variables and instead expects them embedded into the script. That encourages insecure handling of secrets. There are no unrelated cloud or system credentials requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and has no install-time persistence. Autonomous invocation is allowed by platform default but not combined with other concerning privileges here.
What to consider before installing
This skill appears to perform legitimate queries against a vendor API, but it has several things you should consider before running or installing it:
- Do not paste real keys/phone numbers into the script file in plaintext. Instead, modify the script to read KEY, TEL, and IMEI from environment variables or a protected config file, or prompt at runtime.
- The script uses jq (and curl). Ensure jq is installed from a trusted package source before running. The skill metadata should list these dependencies but does not — treat that as an omission.
- Verify the endpoint (https://www.cd6969.com) is the legitimate vendor service you expect. If you do not recognize the domain, validate with the device vendor or use network isolation/testing with dummy credentials.
- Review the script locally before executing. It is short and readable; ensure it only posts the device key/tel and parses the response as shown.
- For safer testing, use dummy values and run in an isolated environment (container/VM) first.
If you plan to use this skill long-term, ask the publisher to: declare required binaries (curl, jq), provide a secure configuration method (env vars or secret store) rather than hard-coded credentials, and include a brief security note about what data is sent to the vendor endpoint.Like a lobster shell, security has layers — review code before you run it.
latestvk974w50sa0n97eb81er9v4txmh823vkx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.