Back to skill
Skillv1.0.0
ClawScan security
Sonoff · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 11:48 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and declared endpoints align with its stated purpose of controlling SONOFF devices via eWeLink, LAN, DIY, and iHost modes; nothing requested appears unrelated or excessive.
- Guidance
- This skill appears internally consistent and appropriate for controlling SONOFF/eWeLink devices. Before installing/using it: (1) ensure you are comfortable providing EWELINK_API_TOKEN as an environment variable (use least-privilege account and rotate tokens); (2) confirm curl and jq are available; (3) be aware the skill will create ~/sonoff/ files and suggests permission settings—inspect those files and their contents; (4) recognize the skill will make local LAN calls to device IPs and calls to eWeLink/coolkit cloud endpoints (expected for this purpose); (5) never paste your token into chat—follow the skill's guidance to keep secrets in environment variables only. If you want extra assurance, review the created ~/sonoff/* files and run the skill in read-only/dry-run mode first.
Review Dimensions
- Purpose & Capability
- okName/description (eWeLink cloud, LAN, DIY control) match the declared requirements: EWELINK_API_TOKEN for cloud, and curl/jq for making and parsing HTTP requests. Declared endpoints (coolkit.cc, dev.ewelink.cc, local zeroconf and iHost URLs) are exactly the types of endpoints needed for this functionality.
- Instruction Scope
- okSKILL.md and auxiliary docs stay on-topic: they describe discovery, read-before-write loops, control-plane selection, safety gates, and local workspace usage. The instructions reference only the env var(s) and local ~/sonoff/ files that are relevant to operation. They explicitly warn not to paste secrets into chat and to avoid persisting raw tokens.
- Install Mechanism
- okThere is no install script or remote download; the skill is instruction-only. That reduces filesystem/network install risk. Required binaries (curl, jq) are reasonable and proportionate to the described HTTP+JSON tasks.
- Credentials
- okOnly EWELINK_API_TOKEN is required (primary credential) and is justified for cloud API control. No unrelated credentials or broad-system config paths are requested. The docs explicitly instruct reading the token from environment and not persisting raw tokens.
- Persistence & Privilege
- noteThe skill recommends creating and managing a local workspace under ~/sonoff/ (memory.md, devices.md, etc.) and provides shell commands (mkdir, chmod). This is coherent for a skill that maintains local state, but users should be aware files will be created in their home directory and given recommended permissions.