petkit-monitor
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: petkit-monitor Version: 1.0.0 The skill bundle contains hardcoded plaintext credentials (a Chinese phone number and password) in the 'config.json' file, which constitutes a significant security risk and a credential leak. While the Python script ('petkit_monitor.py') appears to be a functional tool for monitoring PetKit devices using the legitimate 'petkitaio' library, the inclusion of specific account details in a shared bundle is highly irregular. No evidence of intentional data exfiltration to third-party servers or malicious backdoors was found in the code logic.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill as-is could access someone else's PetKit account, expose the account password, and may log the legitimate mobile app session out as SKILL.md warns.
The distributed config file contains a cleartext PetKit account identifier and password. The script is designed to read this config and use those credentials for PetKit login, so anyone receiving the skill may gain access to that account's device data.
"username": "18055988330", "password": "Hjh1…0361"
Do not ship credentials in the package. Remove this config, rotate the exposed PetKit password, require each user to provide their own credential through a safer secret mechanism, and declare the credential/config requirement in metadata.
A user may need to install third-party code that handles their PetKit credentials, and the reviewed artifacts do not pin or document the exact package version.
The skill requires an external Python package to perform the PetKit integration, but the supplied artifacts do not include a pinned dependency or install specification.
from petkitaio import constants ... from petkitaio import PetKitClient ... "Run: pip3 install petkitaio"
Provide an install spec or requirements file with a pinned trusted package version, and users should verify the petkitaio package source before entering account credentials.