Skill flagged โ suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AirShell ๐ข
v1.1.1Agent playbook for the AirShell open-source air quality sensor (github.com/oloapiu/airshell). Gives your agent domain knowledge about COโ, PM2.5, temperature...
โญ 0ยท 295ยท0 currentยท0 all-time
by@oloapiu
MIT-0
Download zip
LicenseMIT-0 ยท Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (air quality sensor playbook) matches what the files do: reading docs, polling a local device_url, posting device config, and optional purifier control. The included vesync example aligns with the documented optional purifier control in references/deployment.example.md.
Instruction Scope
Runtime instructions tell the agent to read local reference docs, call local device endpoints (GET {device_url}/status, POST {device_url}/config), and to determine the agent's webhook URL/token from the agent/gateway configuration. That gateway/token lookup is necessary for webhook-based operation but does require the agent to access its gateway config (potentially secrets). Instructions do not ask the agent to read unrelated user files or exfiltrate data to third-party endpoints; the only external web API is open-meteo for weather checks.
Install Mechanism
No install spec is provided (instruction-only), and the only code file is an optional example script. Nothing is downloaded or written to disk by an installer in the skill metadata.
Credentials
The skill declares no required env vars. The optional vesync example script does expect VESYNC_EMAIL / VESYNC_PASSWORD / VESYNC_DEVICE if the user chooses automatic purifier control; these are documented in the example but not mandatory. The agent will need access to its own webhook token or gateway config to configure the sensor, which is proportionate to the stated webhook-based design but is a sensitive capability the user should understand.
Persistence & Privilege
always:false and normal autonomous invocation. The skill writes and reads its own references/deployment.md as part of setup (expected). It does not request persistent system-wide privileges or modify other skills' configs.
Assessment
This skill appears to do what it says: monitor a local AirShell sensor, advise on COโ/PM2.5/temp/humidity, and optionally push config and control a purifier. Before installing, consider: (1) Source is unknown โ review files yourself if you need higher assurance. (2) Webhook token exposure: the skill asks the agent to find its gateway webhook URL and token and POST that to the device so the sensor can call back. Only use this with devices you trust on your network (untrusted devices could capture that token). If possible create a scoped/dedicated webhook or token for the sensor. (3) Purifier control is optional but requires storing VeSync credentials in environment variables โ follow the docs and avoid hardcoding secrets. (4) The skill will call the local device_url and open-meteo; ensure device_url points to a trusted local IP/Tailscale host. If you want to reduce risk, run the setup interview and push config manually rather than letting the agent discover and post secrets automatically.Like a lobster shell, security has layers โ review code before you run it.
latestvk97bc2f84cp55hx35ey9xfp9w182dz77
License
MIT-0
Free to use, modify, and redistribute. No attribution required.