Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mqtt Client
v1.0.7This is a simple client for connecting to an mqtt instance
⭐ 0· 2.3k·6 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description match the included Python code (a simple MQTT subscriber). However the SKILL.md and files contradict the declared requirements: SKILL.md claims 'no parameters' and 'no required env vars', yet run.py reads MQTT_BROKER, MQTT_PORT, MQTT_TOPIC, MQTT_USERNAME, and MQTT_PASSWORD from the environment. bootstrap.sh expects a pre-created venv and an .env in a hard-coded /home/jc/.openclaw/... workspace path. These environment/config expectations are not declared in the skill metadata and look disproportionate to the stated 'simple client' purpose.
Instruction Scope
SKILL.md instructs running scripts/bootstrap.sh which sources an absolute path and an .env, then runs run.py. run.py subscribes to all topics ('#') and logs message payloads to stdout. The instructions do not document what .env must contain or where logs go. The agent would therefore load unspecified environment variables and could receive broad message traffic (potentially sensitive), contrary to the claim that 'no parameters' are required.
Install Mechanism
There is no install spec. requirements.txt lists paho.mqtt but bootstrap.sh does not install it nor create the venv; instead bootstrap.sh activates a venv at a hard-coded absolute path. That makes the script brittle and indicates the package expects a pre-initialized developer environment rather than a proper install step. This is an operational risk (will fail silently or unexpectedly) and increases the chance of accidental exposure if you run it without checking.
Credentials
The skill declares no required environment variables, yet run.py relies on multiple MQTT-related env vars (including username/password) and bootstrap.sh sources an .env file. Requiring unspecified secrets (via an .env) without declaring them is disproportionate and a transparency issue. Additionally, subscribing to '#' can surface many messages—if those messages are sensitive they could be logged where agent logs are collected.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It runs a short-lived (60s) background loop and performs no persistent configuration changes. Persistence/privilege level is appropriate.
What to consider before installing
Do not run this skill as-is against real brokers or with real credentials. Key concerns: (1) bootstrap.sh hardcodes a /home/jc/.openclaw/... path and activates a venv that may not exist; (2) the script sources an .env (not listed in required envs) and run.py reads MQTT_USERNAME and MQTT_PASSWORD—inspect that .env to ensure it doesn't contain secrets you don't want exposed; (3) run.py subscribes to all topics ('#') and logs message payloads to stdout (logs may be aggregated or retained); (4) requirements.txt lists paho.mqtt but there's no automated pip install—ensure dependencies are installed in an isolated environment. Recommended steps before installing: inspect or create the .env contents, replace hard-coded paths with relative or runtime-determined paths, add explicit install steps (pip install -r requirements.txt) or documentation, enumerate required env vars in the skill manifest, and run the client in an isolated environment (container or throwaway VM) connected to a test broker. If you need stronger assurance, ask the author to remove absolute paths, explicitly declare required env vars, and provide a proper install script that creates a venv and installs dependencies.Like a lobster shell, security has layers — review code before you run it.
latestvk9702kvxn69x6zcwdgnqa1t7d180zzq2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🤖 Clawdis
Binspython