Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Earl Display Control
v0.1.0Manage Earl's TV dashboard (VisuoSpatial Sketchpad) — wake the display, restart the local server, launch the kiosk browser, and update Earl's mind (mood, hou...
⭐ 0· 576·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the files and behavior: scripts and a Python API read/write a local earl_mind.json and start a local static HTTP server and kiosk browser. Requested binary (python3) is appropriate and proportional.
Instruction Scope
SKILL.md instructs only local actions (start python http.server, launch browser, edit earl_mind.json via EarlMind API). It also documents update_weather_ping.py which performs an outbound request to api.open-meteo.com (expected for weather). The pre-scan flagged unicode-control-chars in SKILL.md (possible prompt-injection attempt) — the rest of the instructions and code are straightforward local file and network use.
Install Mechanism
No install spec (instruction-only skill). Code files live in the repo; nothing is downloaded or installed from external arbitrary URLs. This is low install risk.
Credentials
The skill requests no environment variables or credentials. Scripts read/write a local earl_mind.json and one script calls a public weather API — all consistent with the documented purpose. No unrelated secrets or cloud credentials are requested.
Persistence & Privilege
always:false and user-invocable:true. The skill does not request system-wide config changes or other skills' credentials. It runs locally and modifies only files within its directory (earl_mind.json).
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md triggered a 'unicode-control-chars' pattern which can be used for prompt-injection or to hide characters/content. This is unexpected for a local dashboard skill. The repo's code files appear readable and not obfuscated, but you should inspect SKILL.md and other files for hidden control characters before trusting automated execution.
What to consider before installing
The skill appears to do exactly what it says: run a local Python server, launch a kiosk browser, and edit a local JSON state file via the included Python API. That said, take these precautions before installing or running: 1) Inspect SKILL.md and the shipped Python files for hidden/strange characters or modifications (the scanner flagged 'unicode-control-chars'). 2) Open and review VisuoSpatialSketchpad/update_vibe.py and other small scripts (they modify earl_mind.json and one sets a message 'Text me on Telegram...' — that message is harmless but odd; there is no Telegram integration provided). 3) Back up your existing earl_mind.json (it can contain private household state) and ensure it is not a symlink to an unexpected path. 4) Run the scripts in a user account with limited privileges (not root/Administrator). 5) Be aware update_weather_ping.py makes outbound calls to api.open-meteo.com; if you require offline operation, set latitude/longitude to 0.0 as documented. 6) If you will let an AI agent invoke the skill autonomously, restrict network access or run the skill on an isolated machine if you have privacy concerns. If you want, I can highlight the exact SKILL.md locations with control characters and show the lines to inspect.Like a lobster shell, security has layers — review code before you run it.
latestvk9718tze735xr2wqvpw5ntt5m9817yk8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📺 Clawdis
OSmacOS · Windows · Linux
Binspython3