Back to skill
Skillv1.0.2
VirusTotal security
Starling Home Hub (Nest/Google Home) · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:50 AM
- Hash
- 2a02339e07df62bffa1c5bea1638789070ffae3eda48dc2b9101c68c398d1a10
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: starling-home-hub Version: 1.0.2 The skill is classified as suspicious primarily due to the default use of `curl -k` (disabling TLS certificate verification) in `scripts/starling.sh` when connecting to the Starling Home Hub via HTTPS. While this is explicitly documented in `SKILL.md` and `starling.sh` as a practical compromise for self-signed certificates on a trusted local network, it introduces a Man-in-the-Middle (MITM) vulnerability. However, the skill also includes positive security practices such as input validation (`validate_id`), explicit warnings against passing API keys via CLI arguments, and setting `chmod 600` on sensitive snapshot files. There is no evidence of intentional malicious behavior like data exfiltration, unauthorized remote execution, or prompt injection attempts against the agent.
- External report
- View on VirusTotal