ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

天津安信华瑞

v1.0.0

基于QuecPython平台的Modbus协议IoT框架,支持多传感器数据采集、4G通信、云端上报及OTA远程升级。

1· 45·0 current·0 all-time
by@lbs2016
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (QuecPython Modbus IoT framework) matches the shipped code and runtime instructions: Modbus RTU, sensor management, 4G/network management, HTTP/HTTPS reporting, and OTA. No unrelated capabilities (e.g., cloud providers, AWS creds) are requested.
Instruction Scope
SKILL.md instructs copying the template into a project and deploying eight .py files to the device's /usr directory, editing config/config.py, and running on a QuecPython device. Those actions are appropriate for the stated purpose, but the runtime behavior includes collecting IMEI/IMSI and network info and posting them to URL_REPORT/URL_OTA (defaults point to the vendor). Ensure those endpoints are changed to trusted endpoints before use.
Install Mechanism
No install spec or external downloads are used by the skill bundle. It is an instruction-and-template package with local file copying; no remote packages, URL downloads, or binary installation were specified in the manifest.
Credentials
The skill does not request environment variables or external credentials. However, the code collects and transmits device identifiers (IMEI, IMSI, CCID) and detailed network/sensor data to the configured report/OTA URLs. The default URLs in the template point to the vendor — leaving defaults would leak device identifiers/data and permit remote OTA updates. These behaviors are expected for an IoT reporting/OTA framework but are sensitive and must be configured to trusted endpoints.
Persistence & Privilege
Skill flags are normal (always: false, agent-autonomy allowed). The SKILL.md asks you to copy files to the device /usr directory — this modifies the device filesystem and could overwrite existing modules. That is typical for deploying firmware scripts to QuecPython, but you should backup device files and ensure correct permissions before deploying.
Assessment
This package is a legitimate QuecPython Modbus IoT template but contains sensitive behaviours you should explicitly handle before deployment: 1) Change URL_REPORT and URL_OTA in config/config.py to your trusted endpoints — the template defaults point to the vendor and will receive IMEI/IMSI, cell info, and sensor data. 2) Review the OTA flow (data_reporter.run_ota) — it will download files and call firmware update and reboot; only allow OTA from trusted servers. 3) Backup your device and test in an isolated environment before deploying to production; copying files to /usr can overwrite modules. 4) If you do not want the device to send IMEI/IMSI, sanitize the reporting code (data_reporter) accordingly. 5) Perform network whitelisting or use a staging server to validate payload formats. If you want, provide the config/config.py defaults and I can highlight which fields to change and what values are safe.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bc2s83ajqjjj4cvcab614n983rv0r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments