Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the behavior: the script fetches weather data, computes differences, checks a remote MiHoMo service, and sends a Feishu message. The declared dependencies (python3 + lunarcalendar, SSH access) are consistent with the stated purpose.
Instruction Scope
The SKILL.md and push.sh instruct the agent to SSH into an internal host (10.144.1.3) as a specific user (sulada2) and run systemctl/pgrep on that host. The script also calls a local OpenClaw CLI at a hard-coded user path and writes logs to /tmp. Disabling StrictHostKeyChecking and hard-coded targets give the script broad, specific network/system access that the user may not expect.
Install Mechanism
No install spec — instruction-only plus an included script. Nothing is downloaded or extracted during install, which is low risk. The only runtime requirements are Python packages and SSH access.
Credentials
The skill does not declare env vars or credentials, but it requires SSH credentials/key material to access 10.144.1.3 and expects a user-local openclaw binary path (/home/aisulada/.npm-global/bin/openclaw). These implicit credential assumptions are reasonable for the function but should be explicit; hard-coded username, internal IP, and Feishu target are sensitive and may not be appropriate for other environments.
Persistence & Privilege
The skill is not always-enabled and does not modify other skills or system-wide config. It runs as a scheduled/explicit task only and does not request elevated platform privileges.
What to consider before installing
This script is coherent with its weather+service-check purpose, but review and adapt it before enabling:
- Inspect and change hard-coded values: the SSH target (10.144.1.3), SSH user (sulada2), and the Feishu target OU ID are baked into the script; replace with your own targets or make them configurable.
- Provide SSH credentials intentionally: the script expects an SSH key/agent to allow passwordless SSH. Confirm which key will be used and do not expose private keys.
- Re-enable host-key verification: StrictHostKeyChecking=no weakens SSH security and can allow MitM; consider using known_hosts or more secure SSH options.
- Verify the openclaw CLI path: /home/aisulada/.npm-global/bin/openclaw is user-specific and may not exist; change to the correct path or use a configurable command.
- Check logging and confidentiality: logs are written to /tmp/weather-push.log; ensure log files are stored securely if they contain sensitive identifiers.
- Test in a safe environment first: run manually and confirm outputs, SSH behavior, and that messages are sent to the expected Feishu recipients.
If you want a lower-risk version, request the maintainer remove hard-coded hosts/users, make paths and targets configurable via declared env vars, and avoid disabling SSH host-key checks.Like a lobster shell, security has layers — review code before you run it.
feishuvk978q3p1w4cr0k3m88fjfd6yg18262e9latestvk978q3p1w4cr0k3m88fjfd6yg18262e9mihomovk978q3p1w4cr0k3m88fjfd6yg18262e9weathervk978q3p1w4cr0k3m88fjfd6yg18262e9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.