ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nanoleaf (Picoleaf)

v1.0.0

Control Nanoleaf light panels via the Picoleaf CLI. Use for turning Nanoleaf on/off, adjusting brightness, setting colors (RGB/HSL), changing color temperature, or any Nanoleaf lighting control.

0· 1.8k·0 current·0 all-time
by@rstierli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (picoleaf), and runtime instructions all match: the skill wraps the Picoleaf CLI to control Nanoleaf lights. Requested binaries and config (~/.picoleafrc) are appropriate for this purpose.
Instruction Scope
SKILL.md stays on-scope: it instructs discovering the device on the local network, generating a local access token (requires physical button press), creating a local config file (~/.picoleafrc) with host and token, and running picoleaf commands. It does not request unrelated files, extra environment variables, or exfiltration to external endpoints.
Install Mechanism
Registry install spec lists a Homebrew formula (paulrosania/command-home/picoleaf) which is an expected low-risk mechanism. SKILL.md metadata also includes an alternative binary install that uses curl to download a GitHub release tarball and extract it to ~/.local/bin — GitHub Releases is a reasonable source but the SKILL.md and registry metadata are inconsistent. The tar+extract will write binaries to disk; verify the release source and contents before running.
Credentials
No environment variables or external credentials are requested. The skill requires storing a device-local access token in ~/.picoleafrc, which is appropriate and expected for controlling the device.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no elevated system persistence. Autonomous invocation is allowed (platform default) but not combined with any other elevated privileges.
Assessment
This skill appears to do exactly what it says: run the Picoleaf CLI to control local Nanoleaf lights. Before installing, verify which install method you will use: the registry lists a Homebrew formula (low risk), while the SKILL.md includes a curl|tar command that downloads a GitHub release and extracts into ~/.local/bin. If you use the binary install, inspect the release archive (checksum/signature if available) and the files it will place in your PATH. The skill instructs creating ~/.picoleafrc containing your local access_token — treat that file as sensitive (set restrictive file permissions). Ensure you trust the picoleaf distribution source and are comfortable that the agent can execute picoleaf commands on your local network (it can turn lights on/off and change settings).

Like a lobster shell, security has layers — review code before you run it.

latestvk975ekp54hyrx36rhn5vnbjz817z41d7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌈 Clawdis
Binspicoleaf

Install

Install Picoleaf CLI (brew)
Bins: picoleaf
brew install paulrosania/command-home/picoleaf

Comments