Back to skill
Skillv1.0.0
VirusTotal security
SenseRobot元萝卜光翼灯 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 2:16 PM
- Hash
- c460a25ba781014fda857fc493375cb2adab08c11011083bb7f6ecdd536a196b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: lightwing-control Version: 1.0.0 The skill bundle provides extensive control for the 'Yuanluobo Lightwing' smart lamp but contains a significant remote command execution (RCE) vulnerability. Specifically, `scripts/lightwing_watchdog.py` uses `os.system` to send notifications, which is susceptible to shell injection if the MQTT status data from the lamp is manipulated. The bundle also includes hardcoded paths and a specific Feishu user ID (`ou_bf4314b08df70c2b95f2c2b33ac1f4ce`). While the instructions in `SKILL.md` and `references/auth-api.md` show an unusual level of care in preventing the AI from misusing SMS verification codes, the combination of high-privilege shell access and external network communication (MQTT/Feishu) makes this bundle risky.
- External report
- View on VirusTotal