天津安信华瑞
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent QuecPython IoT template, but its deployed device code can accept server-triggered OTA updates and sends device identifiers, so it should be reviewed before use.
Before deploying this skill’s template, verify and customize URL_REPORT and URL_OTA, ensure only trusted signed firmware can be installed, and confirm that sending IMEI/IMSI and sensor data to the chosen cloud platform is acceptable.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised, misconfigured, or overly trusted reporting/OTA server could cause deployed devices to download updates and reboot without a local review step.
The same post() method used for normal sensor data reporting parses any successful server response for file_list and then downloads OTA files, sets the update flag, and restarts the device.
return self.post(json_body, self.url_report, "传感器数据") ... if file_list: self.run_ota(file_list) ... fota.bulk_download(file_list); fota.set_update_flag(); Power.powerRestart()
Restrict OTA triggering to the dedicated OTA endpoint, require HTTPS plus cryptographic signature or hash verification, and add explicit deployment controls or rollback guidance before using this in production.
Configured cloud endpoints will receive device/SIM identifiers that can identify or track deployed hardware.
The report payload includes cellular device identifiers such as IMEI and IMSI along with sensor and system status data.
'unit_code': net_info.get('IMEI', ''), ... 'IMEI': net_info.get('IMEI', ''), 'IMSI': net_info.get('IMSI', '')Use only trusted reporting and OTA endpoints, prefer HTTPS, and remove or minimize identifiers if the receiving platform does not require them.