ninebot-device-skill
PassAudited by ClawScan on May 1, 2026.
Overview
The skill coherently queries Ninebot vehicle status and location with a user-provided API key, but that key and the returned location data are sensitive.
Before installing, be comfortable giving the skill a Ninebot Device Service key and receiving vehicle location in the chat. Prefer a protected environment variable over a saved config file, inspect any config.json for the expected Ninebot endpoint, and avoid using the skill in shared or untrusted conversations.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with this key can query the vehicle data exposed by the Ninebot Device Service, including device list and status information.
The skill requires a Ninebot Device Service API key and uses it as an authorization credential for account-linked vehicle queries.
设置环境变量:`export NINEBOT_DEVICESERVICE_KEY=your_key` ... 请求头使用 `Authorization: Bearer <API_KEY>`
Use the narrowest available key, prefer setting it as an environment variable or protected secret, avoid pasting it into shared chats, and revoke it if it is no longer needed.
Vehicle location and related status may appear in chat history, logs, summaries, or downstream agent context after a query.
The script returns vehicle location and usage-related data into the agent's output context; this is purpose-aligned but privacy-sensitive.
"location": info.get("location"), ... "estimateMileage": info.get("estimateMileage")Use the skill only in trusted conversations and avoid sharing or retaining outputs that contain precise vehicle location unless necessary.
If config.json is modified to point away from the intended Ninebot service, the API key and query payloads could be sent to an unintended endpoint.
The API mapping is intentionally configurable, including the base URL; a changed or untrusted config could alter where credentialed requests are sent.
You can override any field via a JSON config file ... "base_url": "https://cn-cbu-gateway.ninebot.com"
Inspect config.json before use, keep it in a trusted directory, and leave the base URL pointed at the expected Ninebot gateway unless you intentionally need a different endpoint.