ClawHub

Airtap: Every claw now has a phone

v1.0.6

Use this skill when the user wants to operate Airtap or complete a request through a mobile app on an Airtap device. It lists receivers and models, creates A...

3· 83·0 current·0 all-time
by@skills-airtap
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, declared requirements (python3 and AIRTAP_PERSONAL_ACCESS_TOKEN), CLI scripts, and documented capabilities (list receivers/models, create/poll/cancel tasks, optionally relay updates to OpenClaw) align with each other. The OpenClaw relay behavior is an expected extra capability given the skill's stated intent to mirror updates into OpenClaw.
Instruction Scope
SKILL.md and the scripts stay within the Airtap task domain. The CLI can read a local .env and will base64-encode files when user-supplied image paths are passed (read_base64_file). That means the script can read arbitrary local files if invoked with an --image-file path; this is consistent with sending attachments but is a potential data-exfiltration vector if misused. The code also inspects environment variable names (e.g., checks for OPENCLAW_ or CODEX_ prefixes) to select a client name — reading env var keys is limited and appears benign but should be noted.
Install Mechanism
Instruction-only install (no installer that downloads/extracts arbitrary code). Dependencies are standard Python packages (requests, python-dotenv) listed in requirements.txt. No suspicious download URLs or archive extraction were used.
Credentials
Only AIRTAP_PERSONAL_ACCESS_TOKEN is declared as required (primaryEnv). The code also respects an optional AIRTAP_BASE_URL and AIRTAP_CLIENT_NAME (present in env.example), and inspects environment variable names for OPENCLAW_/CODEX_ prefixes. These additional env checks are explainable by client identification and OpenClaw integration, but users should not provide unrelated secrets. The skill does not request unrelated cloud credentials or many secrets.
Persistence & Privilege
always is false and the skill is user-invocable; it does call an external OpenClaw CLI when asked to relay updates, which executes a subprocess but only when explicit routing flags are provided. It does write the Airtap token to scripts/.env when using --add-token (documented). No evidence of modifying other skills or system-wide configs.
Assessment
This skill is internally consistent with an Airtap client, but review these before installing: 1) Protect your AIRTAP_PERSONAL_ACCESS_TOKEN — the CLI will read it from environment or scripts/.env and uses it for API calls. 2) The CLI can embed files you point it at (image attachments are base64-encoded and sent to Airtap) — do not pass sensitive local files as images. 3) If you use OpenClaw mirroring, the skill will execute the OpenClaw CLI you specify; ensure the path is correct and you trust that binary. 4) Confirm the Airtap base URL (defaults to https://airtap.ai/cortex/api) and token scopes before use. If you want extra assurance, inspect scripts/airtap.py and scripts/airtap_common.py locally and run them in a restricted environment (or with a token that has minimal permissions).

Like a lobster shell, security has layers — review code before you run it.

latestvk97eevgryyfa5bgx537xn0z7ch8431sb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📱 Clawdis
Binspython3
EnvAIRTAP_PERSONAL_ACCESS_TOKEN
Primary envAIRTAP_PERSONAL_ACCESS_TOKEN

Comments