Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Geeklink Home
v0.1.0[English] Control Geeklink Home local gateway devices and scenes over LAN via the bundled self-contained Node.js runtime. Supports device listing, scene list...
⭐ 0· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the implementation: the skill bundles a Node.js CLI (vendor/geeklink-lan-cli.js) and small wrapper scripts that require the node binary. The included scripts and SKILL.md describe LAN host + pairingToken usage which aligns with controlling a local Geeklink gateway.
Instruction Scope
Runtime instructions only instruct the agent/user to obtain gatewayHost and pairingToken from the official app and run the packaged Node.js CLI. The workflow is narrowly scoped to device/scene listing, state checks, and control. One note: SKILL.md and scripts mention caching a session (login command) and a persistent watcher; where session tokens or watcher state are stored is not specified in the docs—that could result in sensitive pairing tokens being written to disk inside the skill runtime (expected for this use but worth auditing).
Install Mechanism
No external install/download step is declared; the package is instruction-and-file based with bundled vendor code. This is low risk compared with arbitrary remote downloads. The vendor CLI is large (~185KB) — since it's included rather than fetched at install time, inspect it for unexpected network calls/telemetry prior to use.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The only sensitive inputs are the gatewayHost and pairingToken the user must copy from the official app, which is appropriate for local gateway control. Still, those tokens are sensitive and may be stored by the runtime.
Persistence & Privilege
The skill is not forced-always and uses normal autonomous invocation defaults. SKILL.md documents a persistent watcher (single instance) started when the skill runtime is loaded — this is consistent with the described functionality and not an unexplained privilege escalation.
Assessment
This package appears coherent for local LAN control of a Geeklink gateway, but take these precautions before installing or enabling it: 1) Review the bundled vendor/geeklink-lan-cli.js (or run it in a sandbox) to check for any external network endpoints or telemetry beyond local LAN access. 2) Treat the pairingToken as a secret — confirm where the runtime stores cached sessions and whether those files are protected or written to persistent disk. 3) If possible, run the skill in a network-limited environment that allows LAN access but blocks outbound internet to detect any unexpected exfiltration. 4) If you are not comfortable reviewing the JS bundle, prefer running the CLI manually from an isolated machine rather than enabling it as a persistent skill.scripts/geeklink-home.js:16
Shell command execution detected (child_process).
vendor/geeklink-lan-cli.js:1820
Shell command execution detected (child_process).
vendor/geeklink-lan-cli.js:3648
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk973gczfdgt5gspts940dx46vn83jwn3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏠 Clawdis
Binsnode