Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
三峰智能
v1.0.2三峰智能家居控制技能。适用场景:(1) 用户说"三峰登录 账号 密码";(2) 用户说打开/关闭/调节灯/空调/窗帘/插座等设备;(3) 用户说同步设备、设备列表、场景列表、执行场景、家庭列表、进入家庭、帮助、三峰帮助;(4) 用户说任何模式/场景名称(如观影模式、阅读模式、回家等)。所有操作真实调用 API,不...
⭐ 0· 81·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Skill name, description, and runtime instructions all describe controlling SUFN devices via the documented open.aibasis.cc APIs. There are no unrelated required binaries, env vars, or install steps; the declared external domain matches the stated purpose.
Instruction Scope
The SKILL.md contains explicit OS-specific scripts (PowerShell and bash) to call the SUFN API and instructs the agent to capture a STATE_JSON: line and persist it. This is within the control-skill scope, but the instructions make the agent handle user credentials and tokens and explicitly persist them — so verify you are comfortable with those persistent credentials and that the agent's read/write tools are limited to the skill's state file.
Install Mechanism
Instruction-only skill with no install spec or external downloads; lowest-risk install mechanism (nothing is written by an installer beyond the normal agent behavior).
Credentials
The skill requests no environment variables or external credentials at install time, which is proportionate. However it expects the agent to accept user-supplied account/password via chat and will store the returned token (and home info) in {baseDir}/state.json — this persistent storage of sensitive data should be considered.
Persistence & Privilege
always:false and the skill only writes/reads its own state.json as documented. It does not request system-wide configuration changes or other skills' credentials. Autonomous invocation is enabled (default) but not flagged alone; consider how often the agent may call the skill.
Assessment
This skill appears to be a straightforward controller for the 三峰/SUFN open.aibasis.cc API and does what it says, but before installing: (1) confirm you trust the domain https://open.aibasis.cc (no homepage/source is provided here); (2) understand that logging in via chat sends your account/password to the skill and the returned token and home/device lists are persisted to {baseDir}/state.json — ensure that file and the agent workspace are access-controlled; (3) prefer using a dedicated or low‑privilege account or temporary credential when testing; (4) if you use a shared agent or allow autonomous agent actions, restrict or monitor the skill's use because it can perform real device actions; (5) consider periodically revoking tokens on the SUFN side and inspect state.json contents after a login to confirm only expected fields are stored.Like a lobster shell, security has layers — review code before you run it.
latestvk97bdfn1k8wqmxpnqd2qmpreks851dm7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.