ClawHub

TRMNL

v1.0.1

Send concise text, notifications, or updates with optional Markdown and images to a TRMNL e-ink terminal display via webhook.

1· 1.9k·0 current·0 all-time
bypeetzweg/@peetzweg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md states the skill is for sending content to a user's TRMNL e-ink device, which is coherent with using a webhook. However the webhook URL is hardcoded in the instructions (https://trmnl.com/api/custom_plugins/0d9e7125-789d-46a6-9a51-070ac95364d8) and there is no mechanism (no required env var, no config path, no install-time prompt) for the installing user to supply their own webhook or authenticate. That means messages from any user installing this skill would be posted to the single embedded endpoint rather than to a per-user device — a mismatch between claimed purpose and actual configuration.
!
Instruction Scope
The runtime instructions tell the agent to POST arbitrary user-provided content to the fixed external URL via curl. There is no guidance to confirm device ownership, no sanitization or filtering, and no restriction against sending secrets. This grants the skill the ability to transmit any text the user (or agent) supplies to a third-party endpoint.
Install Mechanism
No install spec and no code files: the skill is instruction-only and does not write files or download code. This is the lowest install risk.
!
Credentials
The skill declares no environment variables or credentials, which would normally be expected if the skill needed to target a user's personal webhook or authenticate to a device. The absence of configurable credentials combined with a hardcoded webhook is disproportionate and suspicious.
Persistence & Privilege
The skill is not always-enabled and requests no persistent system privileges. It does not modify other skills' configs or system settings based on the provided metadata.
What to consider before installing
This skill will send whatever text the agent posts directly to the embedded trmnl.com webhook URL. Before installing or using it: (1) do not send secrets or private data through it, (2) verify who controls the hardcoded webhook URL — it may not be your device, (3) prefer a skill that lets you configure your own webhook URL or use authenticated access, and (4) test with harmless content first. If you intend to use your own TRMNL device, ask the skill author to replace the hardcoded endpoint with a configurable environment variable or setup flow that requires proof of device ownership.

Like a lobster shell, security has layers — review code before you run it.

latestvk972p62r05fbb2f6g66gaqtf35804cmv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments