ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Unihiker K10 Arduino

v1.0.0

Use when programming Unihiker K10 board with Arduino/C++, uploading code, flashing firmware, or accessing K10 Arduino APIs (screen, sensors, RGB, audio, AI,...

0· 73·0 current·0 all-time
byRockets_cn@rockets-cn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, references, and scripts align with an Arduino development/upload tool for the Unihiker K10. However SKILL.md claims a pre-downloaded Windows arduino-cli.exe in the skill directory while the file manifest does not include that binary — minor inconsistency that should be clarified.
Instruction Scope
Runtime instructions and scripts stay within the expected scope (install arduino-cli, install BSP, detect serial port via /dev and sysfs, compile and upload sketches). They do however instruct actions that affect system state: adding items to PATH, changing PowerShell execution policy, creating ~/.k10, and installing libraries via arduino-cli and pip. Port-detection scripts read sysfs/udev and invoke powershell on Windows (expected for device detection).
!
Install Mechanism
There is no formal install spec but setup.sh pipes a remote installer (curl https://raw.githubusercontent.com/... | sh) and uses pip to install tools. setup.sh also attempts to move binaries into /usr/local/bin (sudo may be used). SKILL.md and scripts reference a board-manager URL hosted at https://downloadcd.dfrobot.com.cn — a vendor-host but not a canonical GitHub release host. Downloading and executing remote scripts and installing packages automatically increases risk and should be reviewed.
Credentials
The skill requests no environment variables, no API keys, and no config paths beyond creating a local ~/.k10 directory. No credentials appear required. That is proportional to the stated purpose. Note: scripts may modify PATH and suggest changing PowerShell execution policy on Windows.
Persistence & Privilege
always:false and no request to modify other skills or global agent configuration. However setup.sh can install system binaries (move to /usr/local/bin) and pip packages, and SKILL.md suggests adding its scripts to the user PATH — these are normal for developer tooling but elevate the skill's system presence and may require sudo.
What to consider before installing
This skill looks coherent for uploading and managing Arduino sketches on a Unihiker K10, but review before running: 1) Do not blindly run setup.sh that pipes remote scripts to sh—inspect the installer script from https://raw.githubusercontent.com first. 2) Verify the Unihiker BSP URL (https://downloadcd.dfrobot.com.cn/...) and any downloaded binaries for authenticity; prefer official GitHub releases where possible. 3) The script may prompt for sudo and will install/move binaries into /usr/local/bin and pip-install packages—consider running in a disposable/VM environment if you have doubts. 4) Note the SKILL.md claim of a bundled Windows arduino-cli.exe is not matched by the manifest—confirm whether a binary is actually included before trusting it. 5) If you only need reference docs, no installation is necessary; only run the upload/setup steps when you accept the risk of installing system-level tooling.

Like a lobster shell, security has layers — review code before you run it.

latestvk97agy02908j9t0nmwy0jwkksd83f9y3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments