ClawHub

Victron Power System Monitor - Boat, RV and Power Systems

v1.0.0

Monitor Victron Energy power systems and generate beautiful daily email reports with battery status, solar generation, and active alarms. Integrates with Vic...

0· 205·0 current·0 all-time
byLuke Kilpatrick@lkilpatrick
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (fetch VRM metrics and send daily HTML emails) mostly matches the contained code (it queries the VRM API and generates HTML), but the package repeatedly claims it 'sends' emails while the provided Python code only generates local output (HTML/JSON/CSV) and contains no email-sending implementation. The README/SKILL.md also reference editing email recipients in the script, yet the script does not include sending logic. This mismatch between claimed capability and actual implementation is concerning.
!
Instruction Scope
Runtime instructions expect a VRM API token and tell users to edit a script at a hard-coded user path (e.g., /home/jeanclaude/...), and to run the Python script or add it to cron. The SKILL.md and other docs instruct setting environment variables (VRM_TOKEN) but the skill metadata declares no required env vars. The documentation also inconsistently refers to VRM_TOKEN and VRM_API_KEY. The script only talks to the VRM API (no external endpoints), which is appropriate, but the instructions give the agent broad discretion to edit and run local scripts and reference a specific username/path — odd but not necessarily malicious.
Install Mechanism
There is no install spec (instruction-only install) and included requirements.txt only requests 'requests'. This is low risk from an installer perspective, but because there is no automated install step, users must manually ensure dependencies (pip install -r requirements.txt).
!
Credentials
The only sensitive credential the code needs is a Victron VRM token, which is proportionate to the stated purpose. However: (1) the registry metadata claims no required env vars while SKILL.md and code expect VRM_TOKEN (and another file references VRM_API_KEY) — an inconsistency that could cause misconfiguration or accidental exposure; (2) the skill asks users to paste their token into the script or environment, so users should treat the token like a secret. No other unrelated credentials are requested.
Persistence & Privilege
always is false, it is user-invocable and model-invocation is not disabled (normal). The skill does not request persistent platform privileges or attempt to modify other skills. There is no install step that writes to system locations beyond the user's skill workspace.
What to consider before installing
This skill mostly does what it says (calls Victron VRM API and renders HTML), but several things don't add up and you should clear them before installing or automating it: 1) The code expects a VRM API token (VRM_TOKEN) even though the package metadata declares none — only provide a token with read-only scope and do not paste it into public places. 2) The documentation claims the skill 'sends' emails, but the included Python script appears to only generate local files (out/*.html, .json, .csv) and contains no email-sending code — if you need automatic emailing, review/add safe email delivery (SMTP or service) and ensure secrets (SMTP passwords, API keys) are handled securely. 3) There are inconsistent env-var names across files (VRM_TOKEN vs VRM_API_KEY); standardize on one and use environment variables rather than hard-coding secrets. 4) The Python script appears truncated/buggy (references to undefined variables like 'pg_data', an incomplete 'generate' call) — run the script locally in a safe environment, review and fix the code, and test with a throwaway token before automating. 5) The docs point at a hard-coded user path (/home/jeanclaude/...) — update paths to suit your environment. 6) Install dependencies yourself (pip install -r requirements.txt) and review all code for any unexpected network calls before adding to cron. If you want help pinpointing the exact code fixes (email sending, undefined variables), I can inspect the full script and suggest concrete changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk97792y2kppgdn9xx54xzhdyt982ntv3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments