Back to skill
Skillv1.0.1
ClawScan security
Imou Open Device Manage · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 11:31 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose (managing Imou cloud devices) and only request the Imou app credentials needed to call Imou APIs; nothing obvious or disproportionate is present.
- Guidance
- This skill appears coherent and implements exactly what it claims: it exchanges your IMOU_APP_ID and IMOU_APP_SECRET for an Imou access token and calls Imou endpoints to list/get/rename devices. Before installing: (1) ensure you trust the skill source — it will transmit your appId/appSecret to whatever IMOU_BASE_URL is configured; (2) prefer using a limited or test developer app credential rather than reusing high-privilege credentials; (3) confirm or set IMOU_BASE_URL to the official Imou API endpoint (the code defaults to https://openapi.lechange.cn); (4) note the small manifest inconsistencies (IMOU_BASE_URL is used but not declared in registry env list, and SKILL.md lists a pip install even though registry shows no install spec) — these are implementation/metadata issues rather than security red flags. If you need higher assurance, review the included Python files locally to verify there are no modifications to endpoints or hidden network calls before providing credentials.
Review Dimensions
- Purpose & Capability
- okName/description describe Imou device listing and rename operations and the package only requires IMOU_APP_ID and IMOU_APP_SECRET (credentials appropriate for Imou Open API). Requested capabilities (list/get/rename) map to the code and referenced Imou endpoints.
- Instruction Scope
- okSKILL.md and scripts specify only the actions necessary to obtain a token and call Imou APIs. The instructions do not direct reading unrelated files or sending data to third parties. One minor scope note: SKILL.md treats IMOU_BASE_URL as required (and the code reads it), but the registry's top-level required env list omitted IMOU_BASE_URL.
- Install Mechanism
- noteNo external binary downloads or risky installers; dependencies are a simple Python requests requirement. The registry summary said 'No install spec', but SKILL.md metadata includes a pip install for requests and there is a requirements.txt — this is a low-risk inconsistency but not a security problem.
- Credentials
- noteOnly IMOU_APP_ID and IMOU_APP_SECRET are required (appropriate). The code also uses IMOU_BASE_URL if set (or a sensible default); IMOU_BASE_URL is used only to contact the Imou API. Registry metadata omitted IMOU_BASE_URL even though SKILL.md and the code treat it as required/configurable.
- Persistence & Privilege
- okThe skill is instruction-only with no elevated platform privileges (always:false). It does not modify other skills or system-wide config and does not request persistent presence.