Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
communication-mqtt
v1.0.1MQTT 브로커를 통해 에이전트의 소개(Intro) 및 상태(Status) 메시지를 발행하고 구독하는 기능을 제공합니다. 에이전트 간의 통신이 필요할 때 사용하세요.
⭐ 0· 948·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: the scripts publish/subscribe agent intro and status messages via MQTT. One minor mismatch: SKILL.md instructs the user to check ~/.openclaw/openclaw.json for an agent_id, but the skill does not declare that config path as required — reading that file is a user instruction, not performed by the code.
Instruction Scope
Runtime instructions are narrowly scoped to installing paho-mqtt/typer and using the included scripts against a local MQTT broker. The README suggests running cat ~/.openclaw/openclaw.json to find agent_id (a reference to a local config file); the code itself does not read arbitrary system files. Instructions are not open-ended and do not direct data to external endpoints.
Install Mechanism
No install spec in the registry (instruction-only). The user is told to pip install common packages (paho-mqtt, typer). There are no downloads or extract steps from unknown URLs.
Credentials
The skill requires no environment variables or external credentials. However: (1) SKILL.md references ~/.openclaw/openclaw.json (a local config path) as a way to find agent_id but that path is not declared; (2) publish.py uses retained MQTT messages (RETAIN=True), so posted info will persist on the broker and be visible to any client that can connect — ensure the broker is trusted and not publicly accessible.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide settings. The skill can be invoked autonomously (platform default) but it only connects to localhost:1883 per its hard-coded settings.
Assessment
This skill is internally consistent: it publishes and subscribes to agent intro/status messages via a local MQTT broker (localhost:1883). Before installing or using it: (1) confirm you run a trusted local MQTT broker — retained messages (RETAIN=True) persist on the broker and could be read by any client that can connect; (2) the SKILL.md suggests checking ~/.openclaw/openclaw.json to find your agent_id, but the scripts require you to pass agent_id explicitly and do not auto-read that file — only inspect that file yourself if you need the ID; (3) the code talks only to localhost and has no external endpoints, so risk is limited to your network exposure of the MQTT broker; (4) pip-installing paho-mqtt and typer is required. If you plan to use this on a shared or network-reachable broker, avoid publishing sensitive data or disable retention. If you want stronger assurance, review the two included scripts locally (they are small and readable) and confirm BROKER is set to an intended host before running.Like a lobster shell, security has layers — review code before you run it.
latestvk973p72axevwfsge4z9ce2n01180zdr5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.