Living Room Air Monitor
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its air-monitoring purpose, but it should be reviewed because chart/report actions can automatically install an unpinned Python package and the skill uses local smart-home and messaging credentials.
Before installing, decide whether you trust this skill to use your Dirigera hub token, CONTACTS.json, and local messaging tools. Prefer installing reviewed, pinned dependencies yourself instead of allowing runtime pip installation, verify the cron schedule, and remove the cron entry if you no longer want continuous monitoring.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A normal chart or report request could download and execute third-party package installation code in the user's Python environment.
Chart generation automatically invokes pip to install matplotlib when it is missing, without a pinned version or install-spec declaration.
except ImportError:
print("matplotlib not found. Installing...")
os.system(f"{sys.executable} -m pip install matplotlib --quiet")Remove runtime pip installation. Declare and pin matplotlib in the install requirements, or require explicit user approval before installing dependencies.
Users must store a smart-home hub token locally; if the local network connection is spoofed or intercepted, the token could be exposed.
The skill reads a local Dirigera bearer token and sends it to the local hub, while disabling TLS certificate verification.
TOKEN_FILE = os.path.expanduser("~/.openclaw/workspace/.dirigera_token") ... "Authorization": f"Bearer {token}" ... ssl_context.verify_mode = ssl.CERT_NONEDocument the token requirement in metadata, protect the token file, use the least-privileged token available, and prefer certificate validation or certificate pinning where possible.
If invoked unintentionally, the skill can send air-quality readings and chart locations/files through the user's configured messaging accounts.
Report delivery invokes local Gmail and WhatsApp CLI tools to send outbound messages to configured contacts.
cmd = ["gog", "gmail", "send", "--to", EMAIL, ...] cmd = ["wacli", "send", "text", "--to", whatsapp_to, "--message", message]
Run report-sending commands only when intended, document the required gog/wacli account setup, and consider adding a confirmation step before sending.
The skill will continue collecting hourly air-quality data and writing logs until the cron entry is removed.
The skill instructs the user to create a persistent scheduled job for ongoing collection.
Add to crontab for automatic data collection every hour: 0 * * * * /opt/homebrew/bin/python3 .../collect_air_data.py >> /tmp/air_quality_cron.log 2>&1
Only add the cron entry if continuous monitoring is desired, verify the path and schedule, and keep clear uninstall/removal instructions.
Accumulated home sensor history may reveal environmental or occupancy patterns and may be included in generated reports.
The skill persists historical home air-quality readings in a local SQLite database for later queries and reports.
DB_PATH = os.path.expanduser("~/.openclaw/workspace/skills/living-room-air-monitor/data/air_quality.db")Review database file permissions, retention expectations, backups, and whether old readings should be deleted periodically.