Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
天津安信华瑞科技有限公司-可燃气体报警器主机-配套技能
v1.0.1This skill should be used when the user wants to generate, customize, or deploy QuecPython code for reading gas detector data from an Anxin Huarui AX100 seri...
⭐ 0· 49·0 current·0 all-time
by@lbs2016
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, SKILL.md, and the provided Python files are coherent: this is a QuecPython template to read AX100 Modbus data and post JSON to an HTTP endpoint. All included modules (modbus, sensor, LED, main) are directly relevant. However, the template config.py contains default external endpoints (URL_CLIENT -> iot.tranthing.com, URL_OTA -> a tcloudbase.com domain). Those defaults are not required to develop the skill (the skill's purpose is to adapt/report to a customer's URL) and could cause unintended outbound data delivery if users do not override them.
Instruction Scope
SKILL.md instructs the agent to gather customization parameters, edit the template (usually config.py), and upload files to the QuecPython module then enable main.py as auto-run. It does not ask the agent to read unrelated host files or secrets. The runtime code will read device identifiers (IMEI/IMSI/CCID) and cell/signal info — expected for device reporting but worth noting as sensitive data collected and included in payloads.
Install Mechanism
No install spec — instruction-only with code templates. Nothing is downloaded or executed on the host during skill installation; the code is intended to be uploaded to the target IoT module via QPYcom. This is lower risk from the platform-install perspective.
Credentials
The skill requests no environment variables or host credentials (none declared). At runtime (on the device) it collects and reports IMEI, IMSI, ICCID and cellular info plus sensor data. Collecting these identifiers is reasonable for device reporting, but they are sensitive; the default hardcoded URL_CLIENT and URL_OTA in config.py mean those identifiers would be sent to third-party servers unless the integrator changes them.
Persistence & Privilege
Skill flags show no elevated agent privileges (always=false) and no persistent install actions on the developer platform. However, the template includes OTA checking (URL_OTA and import app_fota in main.py). If the OTA URL is left enabled, the device may fetch firmware/updates from the configured remote server — this is a normal device feature but increases risk if the OTA server is untrusted.
What to consider before installing
This package is generally coherent with its described purpose, but pay attention before deploying: 1) Change URL_CLIENT to your customer's HTTP endpoint — do not rely on the template default (iot.tranthing.com) unless you intentionally want that vendor to receive your data. 2) If you don't want remote firmware updates, set URL_OTA to an empty string; otherwise verify and trust the OTA server (the default points to a tcloudbase.com domain). 3) The template will include device identifiers (IMEI/IMSI/CCID) and cellular info in reports — confirm that sending these to the configured endpoint is allowed by your data/privacy policy. 4) Review build_payload() and main.py to ensure the JSON format and fields match customer requirements and that no extra endpoints are contacted. 5) Test on an isolated device/network before production to confirm behavior (report frequency, OTA behavior, and that logs/prints do not leak secrets).Like a lobster shell, security has layers — review code before you run it.
latestvk975fnvvx6gr4qes1rps1prdp583sgvm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.