Devin_dingcheng
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it says—query Chengding IoT level-sensor status—but it uses account/device identifiers and an external API that users should verify before use.
Before installing or using this skill, verify that https://www.cd6969.com is the correct Chengding IoT service for your device, configure only the intended key/phone/IMEI values, and be aware that the included script requires curl and jq even though the metadata does not declare them.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may expose or rely on identifiers tied to a specific Chengding IoT account or device.
The skill requires an API key, phone number, and device IMEI to access sensor status; this is purpose-aligned but should be treated as account/device credential handling.
需要提前配置 key、tel、imei 参数
Only configure credentials for the intended device/account, avoid sharing the configured script, and confirm the API endpoint is the vendor endpoint you expect.
The script may fail or behave differently if curl or jq are missing or replaced by unexpected local binaries.
The helper script depends on curl and jq, while the registry requirements declare no required binaries; this is a metadata completeness issue rather than hidden behavior.
response=$(curl -s -X POST "$URL" ...) ... echo "$response" | jq -r --arg imei "D$IMEI"
Install trusted versions of curl and jq if needed, and consider updating the skill metadata to declare those runtime dependencies.