Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
FBoxCLI
v0.1.0通过 FBox CLI 命令行管理工业物联网设备。 查看设备列表和详情,读写 PLC 监控点数据,管理报警和联系人,查询历史数据,管理设备分组和统一写组。 当用户提到 fboxcli、FBox 命令行、CLI 脚本、自动化运维、批量操作设备时使用此技能。
⭐ 0· 83·0 current·0 all-time
byFlexem-Dev@flexemdev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name and description match the documented runtime instructions (managing FBox IoT devices). SKILL.md and README explicitly require the fboxcli binary and FBox platform credentials (client_id/secret or user account), which are appropriate for this purpose — however the registry metadata claims no required env vars or primary credential, creating an inconsistency between what the skill says it needs and what the registry declares.
Instruction Scope
SKILL.md is prescriptive and scoped: it tells the agent to use the fboxcli binary, always request --json, check auth token before operations, avoid auto-inserting credentials, and require explicit user confirmation for all write/delete operations. It does not instruct the agent to read arbitrary files or exfiltrate data to unknown endpoints. It does include actions that will expose device network/config details (IP, DNS, firmware) and perform high-impact write/delete ops if confirmed — which is expected for device management.
Install Mechanism
This is an instruction-only skill (no install spec in registry), so nothing will be written by the skill itself. INSTALL.md recommends installing the fboxcli binary via npm (@flexem/fboxcli), GitHub releases, or building from source — all are standard mechanisms. Verify the npm package and GitHub repo authenticity before installing the binary.
Credentials
SKILL.md and README clearly require platform credentials (OAuth client_id/client_secret or user credentials) and the fboxcli binary; the registry metadata does not declare any required environment variables or primary credential. That mismatch is concerning because sensitive secrets are needed in practice but not declared for review or gating. Also, the operations permitted by the skill (reading IP/DNS, writing control points, deleting devices/history/contacts) are high-impact and justify strict credential handling and least-privilege credentials.
Persistence & Privilege
Skill is not always-enabled (always:false) and is user-invocable; it does not request special system-wide persistence or modify other skills. Autonomous invocation is allowed by default but is not combined with other elevated privileges here.
What to consider before installing
This skill appears to be a legitimate CLI wrapper for FBox device management, but the registry metadata fails to declare the credentials and binary the SKILL.md says are required. Before installing: (1) verify the upstream package/repo (npm @flexem/fboxcli and the GitHub releases) to ensure you trust the binary; (2) confirm which credentials are actually required and how they will be provided — do not store client_secret/passwords in plaintext or share them with untrusted agents; (3) be aware the skill can read device network/config info and perform destructive actions (writes/deletes) — use least-privilege credentials and test in a sandbox first; (4) ask the publisher to update registry metadata to declare required env vars/primary credential and to document any network endpoints and token storage behavior. If you cannot validate the upstream package/repo or the credential handling, treat this skill as risky and avoid installing it in production.Like a lobster shell, security has layers — review code before you run it.
latestvk976m7970wrgsm1qh2bds6d7w184k52n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
OSmacOS · Linux · Windows