ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Living Room Smoke Detector

v1.0.0

Simple smoke/fire detector for living room. Queries Dirigera air sensor every 5 minutes, detects dangerous PM2.5 over 250 or CO2 over 2000 levels, and broadc...

0· 443·0 current·0 all-time
byIgor@maverick-2
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (living-room smoke detector) match the code and SKILL.md: the script polls a Dirigera hub, checks PM2.5/CO2 thresholds, saves a minimal local state file, and plays alerts on macOS. No unrelated services, credentials, or binaries are requested.
Instruction Scope
SKILL.md and the script both direct the agent/user to read a local token file (~/.openclaw/workspace/.dirigera_token), contact a local hub at 192.168.1.100:8443, write a small state file under the skill data directory, and optionally copy an alert mp3 from another skill — all are within the stated purpose. Notes: the cron example and file paths are heavily Mac-/user-specific (e.g., /Users/macmini and /opt/homebrew/bin/python3) and will need adjustment. The continuous alert loop behavior (repeating every 5s until cleared) is explicit and may be noisy but is intentional.
Install Mechanism
No install spec (instruction-only + a single script) — lowest-risk distribution model. Nothing is downloaded or extracted at install time.
Credentials
No environment variables are requested; the script reads a single local token file and uses a hard-coded local hub IP. That token file requirement is declared in SKILL.md (so the access is proportional), but the script disables SSL certificate checks for the hub (ssl_context.verify_mode = CERT_NONE), which weakens TLS protections and could allow MITM on untrusted networks. The hard-coded IP and token path reduce portability and should be configurable by the user.
Persistence & Privilege
Skill does not request always:true, does not modify other skills or system-wide configuration, and only writes its own small state file under the skill directory. Cron installation is suggested but is a user action (not automatic).
Assessment
This skill appears to do what it claims: poll your local Dirigera hub and play an alert on macOS. Before installing or running it, consider the following: 1) The script reads a local token file (~/.openclaw/workspace/.dirigera_token) — ensure that file contains only the expected Dirigera token and has restrictive file permissions (chmod 600) so other users can't read it. 2) The script disables TLS certificate validation for the hub connection (accepts self-signed certs) — on untrusted networks this raises a MITM risk; prefer to configure it to trust the hub certificate or run only on a trusted LAN. 3) Paths in the SKILL.md (cron entry, /Users/macmini, /opt/homebrew/bin/python3) are user-specific — update them for your system. 4) The alert loop will play sound continuously until readings clear (and may be loud); ensure this behavior is acceptable and that ffmpeg/say/afplay are installed. 5) If you need portability or stricter security, modify the script to accept the hub IP and token path via command-line args or environment variables and re-enable certificate validation. Finally, test manually (run the script interactively) before adding to crontab so you can verify behavior and that it uses the correct token and hub.

Like a lobster shell, security has layers — review code before you run it.

latestvk974929fj674ck20j3vqcxdq6h81v7wx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments