Unihiker K10 Arduino
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This mostly looks like a real K10 Arduino helper, but review is recommended because setup can run unpinned downloaded installers and uploads may target a generic serial device.
Use this only if you are comfortable with local toolchain installation and hardware flashing. Prefer installing Arduino CLI manually from official pinned releases, do not run unlisted bundled executables, and pass the K10 serial port explicitly before uploading.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
No VirusTotal findings
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If another serial device is connected, the agent could attempt to compile/upload to the wrong device without a clear confirmation step.
When no port is supplied, the script may select any serial port and then upload firmware to it, which is broader than a verified K10-only target.
if not port and board['port']['protocol'] == 'serial':
# Fallback to any serial port
port = board['port']['address']
...
subprocess.run([arduino_cli, "upload", "-p", port, "--fqbn", fqbn,Specify the K10 port explicitly, disconnect unrelated serial devices, and update the script to require VID/PID or board-name verification plus user confirmation before upload.
Running setup could execute code that was not part of the reviewed skill package and make persistent changes to the user's toolchain.
The setup script executes an unpinned remote installer from a moving branch and installs unpinned Python packages, including MicroPython tools beyond the Arduino-focused scope.
curl -fsSL https://raw.githubusercontent.com/arduino/arduino-cli/master/install.sh | sh ... sudo mv bin/arduino-cli /usr/local/bin/ ... pip3 install mpremote || pip install mpremote pip3 install adafruit-ampy || pip install adafruit-ampy
Avoid running the setup script as-is; prefer pinned official releases with checksums, declare all dependencies in metadata, and make non-Arduino tools optional.
Windows users may be directed to trust a local executable whose presence and provenance are not verified by the supplied artifacts.
The documentation tells Windows users to run a bundled executable, but the provided file manifest does not include arduino-cli.exe, creating either a broken instruction or an unreviewed-binary provenance gap.
在Windows上,skill目录已包含预下载的 `arduino-cli.exe`,可直接使用: ... .\arduino-cli.exe version
Install arduino-cli from the official Arduino release page with checksum verification, or ensure any bundled executable is included in the manifest with clear provenance.