ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Control your vehicle from AI agent

v1.1.1

车辆信息查询技能。查询车辆位置、车况(车锁、车门、车窗、空调、电源状态等)。触发词:查车、车辆位置、车况、我的车在哪。跨平台支持 Linux/macOS/Windows。

0· 73·0 current·0 all-time
byKuikui@lkisme
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, README, and the included script all align: the script queries a vehicle API for position and condition data using a vehicleToken/accessToken pair. No unrelated credentials, tools, or system access are requested.
Instruction Scope
Runtime instructions tell the agent to run the bundled shell script and to prompt the user for a token in the specified format. The script only reads/writes its own cache/history files in the user's home, checks for curl/jq, and posts to the declared API endpoint. The instructions do not ask the agent to read arbitrary system files or exfiltrate other data.
Install Mechanism
No installation downloads or third-party packages are performed by the skill bundle; it's instruction + a local shell script. There are no external installers or URL downloads in the package.
Credentials
The skill does not request environment variables or platform credentials. It requires the user to supply vehicleToken####accessToken, which is appropriate for the task. Note: the script caches those tokens in plaintext under ~/.carkey_cache.json (or %USERPROFILE% on Windows) without explicit permission tightening, and sends them to https://openapi.nokeeu.com — users must trust that external service.
Persistence & Privilege
always:false and normal autonomous invocation settings. The script writes its own cache and history files under the user's home; it does not modify other skills or system-wide configs.
Assessment
This skill appears to do what it says: run the included script and query a vehicle API using tokens you provide. Before installing/using: (1) verify you trust the API host (https://openapi.nokeeu.com) because your tokens and vehicle data are sent there; (2) inspect the script (already included) so you understand what it posts and which local files it writes; (3) be aware tokens are cached in plaintext at ~/.carkey_cache.json (or %USERPROFILE%/.carkey_cache.json) — consider restricting file permissions (chmod 600) or deleting the cache when finished; (4) only provide tokens with minimal scope and rotate/revoke them if you suspect misuse.

Like a lobster shell, security has layers — review code before you run it.

latestvk975knbb83rvwetxy6tan7rrz983h471

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments