ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LG ThinQ

v1.0.0

Control LG smart appliances via ThinQ API. Use when user asks about their fridge, washer, dryer, AC, or other LG appliances. Supports checking status, changing temperature, toggling modes (express, eco), and monitoring door status.

0· 1.9k·1 current·1 all-time
byhikaio@kaiofreitas
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and instructions: the CLI uses the ThinQ API (via thinqconnect) to list devices, query status, and send control payloads. Required resources (a ThinQ personal access token and country code file) are directly related to the stated purpose.
Instruction Scope
SKILL.md instructs storing a ThinQ PAT in ~/.config/lg-thinq/token and running the included Python script to interact with devices — this is within scope. Minor issues: the docs reference activating a virtualenv at 'cd ~/clawd && source .venv/bin/activate' (path/name appears inconsistent with the skill slug) and the README doesn't explicitly tell the user to pip-install the thinqconnect/aiohttp dependencies that the script requires. The script reads/writes only under ~/.config/lg-thinq (token, country, devices cache) and sends requests via the ThinQ API; it does not reference unrelated system paths.
Install Mechanism
There is no automated install spec (instruction-only plus an included script). That keeps disk changes minimal, but the provided Python script requires third-party packages (thinqconnect, aiohttp). SKILL.md does not provide explicit pip install steps for these dependencies, which is an operational omission but not a sign of maliciousness.
Credentials
No environment variables or unrelated credentials are requested. The skill asks the user to store a ThinQ Personal Access Token as a plaintext file in ~/.config/lg-thinq/token and to set a country code file; this is proportionate to interacting with the ThinQ API. Storing an access token in plaintext is sensitive — the token grants access to the user's devices and should be protected (file permissions, consider more secure storage).
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. It caches device lists under ~/.config/lg-thinq/devices.json (expected) and does not modify other skills or system-wide settings.
Assessment
This skill appears to do what it says: it talks to LG ThinQ via the thinqconnect library and uses a Personal Access Token you supply. Before installing, verify the token source (https://connect-pat.lgthinq.com) and keep the token private. Ensure you install the Python dependencies (pip install thinqconnect aiohttp) in a controlled virtualenv; SKILL.md's virtualenv path looks inconsistent — confirm where you keep your venv. Check and restrict permissions on ~/.config/lg-thinq/token and be aware the skill will cache device metadata at ~/.config/lg-thinq/devices.json. If you want stronger protection, consider using a secrets manager or environment-restricted token rather than storing long-lived PATs in plaintext.

Like a lobster shell, security has layers — review code before you run it.

latestvk9777ykpaks4yps5twr664pryn7zwxnq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧊 Clawdis
OSmacOS · Linux

Comments