Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Unihiker K10 MicroPython
v1.0.0Use when programming Unihiker K10 board with MicroPython, uploading code, flashing firmware, or accessing K10 MicroPython APIs (screen, sensors, RGB, audio, AI)
⭐ 0· 85·0 current·0 all-time
byRockets_cn@rockets-cn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the provided scripts and documentation: find-port, flash, upload, and API reference are all present and appropriate for programming a K10 with MicroPython. However, the flashing scripts reference a firmware binary at ${HOME}/.claude/skills/unihiker-k10/firmware/k10-micropython-v0.9.2.bin which is not included in the manifest — this mismatch should be explained (where does the firmware come from?).
Instruction Scope
SKILL.md and the scripts instruct the agent/user to run local shell scripts that access serial devices (/dev/*, COM ports), read/write files under HOME, and perform firmware flashing. Those actions are expected for the stated purpose. The concern is that setup.sh will execute network installs (curl | sh) and pip installs at runtime and potentially move binaries into system locations; these steps expand the scope beyond purely device-local operations and execute code fetched from the network.
Install Mechanism
There is no formal install spec; instead the bundled setup.sh performs dynamic installs: it curls and pipes the arduino-cli installer from raw.githubusercontent.com (remote script execution), runs pip installs for mpremote/ampy, and may move binaries to /usr/local/bin (sudo). Downloading and executing an installer script (curl | sh) and performing pip installs at runtime are moderate-to-high risk behaviors and should be reviewed before running. The firmware binary the flash scripts expect is not present in the package, implying an external download step is required but not specified.
Credentials
The skill requests no environment variables or credentials and does not try to access unrelated secret locations. It does reference HOME and places files under ~/.k10 and (implicitly) ~/.claude, which is plausible for per-user configuration. No tokens/keys are requested.
Persistence & Privilege
always is false and the skill is not force-enabled. setup.sh will create a ~/.k10 directory and may install system tools and libraries, potentially requiring sudo to move binaries into /usr/local/bin and modifying system state. That is reasonable for a developer tool but elevates the impact of running the script—review and run with least privilege (or in a container) if possible.
What to consider before installing
This skill appears to do what it claims, but take precautions before running its setup or flash scripts: 1) The setup script runs curl | sh against raw.githubusercontent.com and performs pip installs and may move binaries with sudo — review that installer script and the pip packages before executing. 2) The flashing scripts expect a firmware binary at ${HOME}/.claude/skills/unihiker-k10/firmware/k10-micropython-v0.9.2.bin, but that file is not in the package; verify the firmware source and integrity before flashing. 3) Running these scripts modifies your system (installs tools, writes to ~/.k10, may require sudo); prefer installing arduino-cli/mpremote manually or run setup in an isolated environment (VM/container) if you are unsure. 4) If you decide to proceed, inspect scripts line-by-line for unexpected network calls or remote execution, and avoid running curl | sh blindly. If you want, I can point out the exact lines to inspect or produce a safer, explicit installation checklist you can run manually.Like a lobster shell, security has layers — review code before you run it.
latestvk97ey2b78rxe142dvbyg0aeqp183f4h1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.