ClawHub

HiQ Cortex

v1.3.0

Find carbon emission factors for any material or process. 1M+ LCA datasets (HiQLCD, Ecoinvent, CarbonMinds). AI-powered BOM carbon footprint calculation and...

0· 233·0 current·0 all-time
by@kirbyingithub·duplicate of @kirbyingithub/hiq-lca
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description request node and a single HIQ_API_KEY and the code calls only x.hiqlcd.com endpoints. The requested binary (node) and primary credential (HIQ_API_KEY) are appropriate and expected for a remote-API-based LCA search and assistant.
Instruction Scope
SKILL.md and the scripts limit behavior to sending queries and BOMs to x.hiqlcd.com and reading HIQ_API_KEY. A minor scope note: the SKILL.md suggests adding the API key to ~/.openclaw/openclaw.json (plaintext storage) or exporting it as an environment variable; both are within expected scope but users should be aware the key will be stored/sent to the remote service and that any sensitive content included in queries will be transmitted.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but SKILL.md suggests running npm ci in the skill directory. package.json contains no dependencies; npm ci is low-risk here. Because installation is manual (not automatic), there's no unexpected remote install behavior. If you run npm ci in future versions, review package.json first.
Credentials
Only a single API credential (HIQ_API_KEY) is required and declared as the primary credential. No other env vars, system config paths, or unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable only. It does not request elevated or persistent system privileges.
Assessment
This skill appears to do what it says: it uses node and a single HIQ_API_KEY to call HiQ's API at x.hiqlcd.com. Before installing, confirm you trust hiqlcd.com and are comfortable that any query text (including BOMs or example data) will be transmitted to that service. Prefer setting HIQ_API_KEY as an environment variable rather than saving it in ~/.openclaw/openclaw.json if you want to avoid plaintext storage. If you run npm ci, inspect package.json first (current package.json has no dependencies, but future revisions could). Avoid including secrets or personal data in queries sent to the remote API. The registry version (1.3.0) differs from package.json version (1.1.2) — this is likely benign but you may want to verify the package source matches the published version.
ask.js:35
Environment variable access combined with network send.
search.js:43
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

batteryvk974jpbd7nhzcpj7ec1x9sj9g582v9d8bill-of-materialsvk974jpbd7nhzcpj7ec1x9sj9g582v9d8carbon-footprintvk974jpbd7nhzcpj7ec1x9sj9g582v9d8chinavk974jpbd7nhzcpj7ec1x9sj9g582v9d8ecoinventvk974jpbd7nhzcpj7ec1x9sj9g582v9d8emission-factorsvk974jpbd7nhzcpj7ec1x9sj9g582v9d8epdvk974jpbd7nhzcpj7ec1x9sj9g582v9d8gwpvk974jpbd7nhzcpj7ec1x9sj9g582v9d8iso-14040vk974jpbd7nhzcpj7ec1x9sj9g582v9d8latestvk974jpbd7nhzcpj7ec1x9sj9g582v9d8lcavk974jpbd7nhzcpj7ec1x9sj9g582v9d8mcpvk974jpbd7nhzcpj7ec1x9sj9g582v9d8scope-3vk974jpbd7nhzcpj7ec1x9sj9g582v9d8steelvk974jpbd7nhzcpj7ec1x9sj9g582v9d8supply-chainvk974jpbd7nhzcpj7ec1x9sj9g582v9d8sustainabilityvk974jpbd7nhzcpj7ec1x9sj9g582v9d8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌱 Clawdis
OSmacOS · Linux · Windows
Binsnode
EnvHIQ_API_KEY
Primary envHIQ_API_KEY

Comments