Duwi Smart Home
v1.0.6迪惟智能家居技能,基于 Duwi 开放平台 API,支持设备控制、场景执行、状态查询等功能
⭐ 1· 66·0 current·0 all-time
by迪惟科技@duwi2024
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Duwi Smart Home) align with the code: a DuwiClient, CLI, device handlers and an init_config helper implement device control, queries and scene execution against Duwi's open API. The requested/used resources (appkey/secret, user login, local config/token files) are expected for this purpose.
Instruction Scope
SKILL.md instructs the user/agent to configure APPKEY/SECRET, run init_config.py and use duwi_cli.py for login and device control. The runtime instructions and code access only local config/token files (in the skill folder) and the Duwi API endpoint (BASE_URL = https://openapi.duwi.com.cn/homeApi/v1). There are no instructions to read unrelated system files or to transmit data to unexpected endpoints.
Install Mechanism
There is no install spec (no packages downloaded at install time) which reduces risk. However, the package contains Python scripts and the SKILL.md/CLI assume a Python runtime and the 'requests' package; the registry metadata declared no required binaries. This mismatch is a minor issue: the skill needs Python (and the requests library) to run but does not declare that dependency in the registry metadata or provide an install step.
Credentials
The skill does not request environment variables or external credentials beyond the Duwi APPKEY/SECRET and user phone/password (entered interactively). Those credentials are proportionate to the described functionality. The code saves tokens and the app config locally (app_config.json, token_cache.json) and sets file permissions where possible.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide settings. It persists only its own configuration and token files in the skill directory. Agent autonomous invocation is allowed by default (not a flag on its own) and is not combined with other concerning privileges.
Assessment
This skill appears to do what it says: it implements a Duwi API client and CLI for smart-home control. Before installing, consider: (1) it requires a Python runtime and the 'requests' library — install/verify these before use; (2) you will provide an APPKEY and SECRET (application-level credentials) and your account phone/password; these are stored locally in app_config.json and token_cache.json in the skill directory — check and, if desired, relocate or protect those files; (3) the skill talks to https://openapi.duwi.com.cn/homeApi/v1 — if you need to verify the vendor, confirm this endpoint and the package origin (source/homepage are unknown in the registry metadata); (4) review the included scripts yourself (they are plain Python and human-readable) if you have sensitive environments; (5) run the tool in a constrained environment or VM if you want to limit blast radius. Overall, nothing in the code indicates covert exfiltration or unrelated behavior, but verify the APPKEY/SECRET handling and the network endpoint if provenance is a concern.Like a lobster shell, security has layers — review code before you run it.
latestvk97ejppkdwa3ageqtt7cjv0s4n84cevj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.