ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sp501lw Mqtt

v0.1.0

SP501LW 串口网关纯 MQTT 管理技能——支持串口透传和 Modbus RTU 数据采集两种工作模式,通过 MQTT 完全控制设备,支持自定义主题和 Broker。

0· 53·0 current·0 all-time
by@likong-iot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binary (python3), SKILL.md and included Python script all line up: this is a tool to manage SP501LW gateways over MQTT and to configure Modbus polling. The dependency on paho-mqtt is proportional and expected.
!
Instruction Scope
Runtime instructions direct the agent to run the included Python CLI which will publish/subscribe to MQTT topics and write a local devices.json containing device and broker settings. The SKILL.md and examples rely on a default remote broker (mqtt.likong-iot.com) and provide examples that include plaintext credentials — this means out-of-the-box use (or following examples exactly) will cause network traffic to a third-party broker and may upload device data unless the user supplies a different broker.
Install Mechanism
No binary downloads or obscure install steps; the only runtime dependency is paho-mqtt (pip). SKILL.md lists pip install for paho-mqtt, which is normal and low-risk.
!
Credentials
The skill requests no environment variables, which is proportional, but it stores broker credentials in devices.json in plaintext and ships with default broker host/username/password values pointing to mqtt.likong-iot.com/public: 'Aa123456'. Using defaults without review could leak telemetry/Modbus data to the author-controlled broker. Requiring credentials (via CLI args) is reasonable for MQTT control, but persistent plaintext storage and defaults to a remote host increase risk.
Persistence & Privilege
always:false and no evidence the skill modifies other skills or system-wide configs. It writes its own devices.json (expected for a CLI tool). Autonomous invocation is allowed by platform defaults; combined with the networking behavior above, this increases the need for caution but is not in itself a new privilege.
What to consider before installing
This skill is coherent with its stated purpose but take care before using it: 1) Review sp501lw_mqtt.py and SKILL.md to confirm where MQTT traffic will go. 2) Do not rely on the bundled default broker — explicitly set --broker-host, --username and --password to a broker you control. 3) Inspect devices.json before and after adding devices; it stores credentials in plaintext. 4) If you must test quickly, run the tool in a network-isolated environment or monitor outbound network connections to ensure data isn't sent to untrusted endpoints. 5) If you need privacy, run your own MQTT broker (e.g., on localhost or on a trusted host) and update examples to use it. If you want, I can point to the exact lines in the Python file that set the default broker and write devices.json so you can review them.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dkqxa9g0c0b39fkecyxw0h9842904

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔌 Clawdis
Binspython3

Comments