Living Room Air Monitor
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A normal chart or report request could download and execute third-party package installation code in the user's Python environment.
Chart generation automatically invokes pip to install matplotlib when it is missing, without a pinned version or install-spec declaration.
except ImportError:
print("matplotlib not found. Installing...")
os.system(f"{sys.executable} -m pip install matplotlib --quiet")Remove runtime pip installation. Declare and pin matplotlib in the install requirements, or require explicit user approval before installing dependencies.
Users must store a smart-home hub token locally; if the local network connection is spoofed or intercepted, the token could be exposed.
The skill reads a local Dirigera bearer token and sends it to the local hub, while disabling TLS certificate verification.
TOKEN_FILE = os.path.expanduser("~/.openclaw/workspace/.dirigera_token") ... "Authorization": f"Bearer {token}" ... ssl_context.verify_mode = ssl.CERT_NONEDocument the token requirement in metadata, protect the token file, use the least-privileged token available, and prefer certificate validation or certificate pinning where possible.
If invoked unintentionally, the skill can send air-quality readings and chart locations/files through the user's configured messaging accounts.
Report delivery invokes local Gmail and WhatsApp CLI tools to send outbound messages to configured contacts.
cmd = ["gog", "gmail", "send", "--to", EMAIL, ...] cmd = ["wacli", "send", "text", "--to", whatsapp_to, "--message", message]
Run report-sending commands only when intended, document the required gog/wacli account setup, and consider adding a confirmation step before sending.
The skill will continue collecting hourly air-quality data and writing logs until the cron entry is removed.
The skill instructs the user to create a persistent scheduled job for ongoing collection.
Add to crontab for automatic data collection every hour: 0 * * * * /opt/homebrew/bin/python3 .../collect_air_data.py >> /tmp/air_quality_cron.log 2>&1
Only add the cron entry if continuous monitoring is desired, verify the path and schedule, and keep clear uninstall/removal instructions.
Accumulated home sensor history may reveal environmental or occupancy patterns and may be included in generated reports.
The skill persists historical home air-quality readings in a local SQLite database for later queries and reports.
DB_PATH = os.path.expanduser("~/.openclaw/workspace/skills/living-room-air-monitor/data/air_quality.db")Review database file permissions, retention expectations, backups, and whether old readings should be deleted periodically.