Unihiker K10 MicroPython
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches K10 MicroPython development, but its setup and flashing paths rely on unpinned or unprovided code/firmware and can make high-impact changes to your computer or board.
Install only if you are comfortable reviewing the setup and flashing scripts. Prefer installing dependencies yourself from trusted pinned releases, verify the MicroPython firmware source and checksum, and specify the K10 serial port manually before flashing.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running setup could execute whatever code is served by that upstream URL at the time, changing your local development environment.
The setup helper executes a remote installer directly from the current master branch without a pinned version, checksum, or reviewed local copy.
curl -fsSL https://raw.githubusercontent.com/arduino/arduino-cli/master/install.sh | sh
Run setup only intentionally; prefer installing arduino-cli from a pinned release or package manager, and review or checksum any remote installer first.
If a user supplies or already has a different file at that path, the script will flash that unreviewed firmware to the K10 board.
The flasher depends on a firmware binary outside the provided manifest, with no source, signature, or checksum shown in the artifacts.
FIRMWARE="${HOME}/.claude/skills/unihiker-k10/firmware/k10-micropython-v0.9.2.bin"Use firmware obtained directly from the device/vendor source, verify its checksum or signature, and update the skill to document the firmware provenance.
A wrong serial-port guess could reset, upload to, or attempt to flash the wrong connected device.
The helper may automatically choose a serial port, and the flashing/upload scripts rely on this detection when no port is provided.
# Method 2: If only one USB serial port, assume it's K10
Before flashing or uploading, run the port-listing command and pass the exact K10 port explicitly.