Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Workswith Claw
v1.0.3为家,注入灵魂。独立于 Home Assistant 的智能家居中间件,通过 HA API 实现设备的语义化理解、习惯学习和智能预判。
⭐ 0· 119·0 current·0 all-time
byFanyur@fanyur-wang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose is a local HA middleware and the code implements HA API clients, device analysis, habit learning, and YAML automation generation — that is coherent. However the registry/metadata claims no required env vars or primary credential while the code and SKILL.md clearly require HA_URL and HA_TOKEN (and optionally WORKSWITH_CLAW_API_KEY). The metadata omission is an incoherence: a HA-integration skill should declare HA credentials in required envs.
Instruction Scope
SKILL.md instructs the user to provide HA_URL and HA_TOKEN and to run the service locally; the code reads HA_TOKEN/HA_URL from .env and will call the Home Assistant REST API and write YAML files into ~/.homeassistant/automations. Those behaviors match the purpose, but there are two problems: 1) authentication is optional — if WORKSWITH_CLAW_API_KEY is not set the API skips auth (dev mode), and the app enables CORS allow_origins=["*"] — meaning the service can be reachable and used without auth if misconfigured; 2) some service names (openclaw_client, llm_enhancer) suggest potential external network activity contrary to SKILL.md's
Like a lobster shell, security has layers — review code before you run it.
latestvk970vsy6n25jkm8s80hy9k60z9834drj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.