ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bloomin8

v2.0.1

Push images or markdown to a Bloomin8 e-ink photo frame via cloud API (async) or local BLE+LAN (instant). Scan nearby devices, check status, track delivery,...

0· 37·0 current·0 all-time
by@xander887
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the requested artifacts: device-bound tokens (BLOOMIN8_TOKEN_*) are the expected credential for the cloud API; python3 and included Python scripts implement BLE + HTTP local control and cloud pushes. Nothing requested appears unrelated to controlling Bloomin8 devices.
Instruction Scope
SKILL.md restricts operations to fetching the Bloomin8 open API docs, calling the documented cloud endpoints with device tokens, and performing local BLE scans, wake, and HTTP uploads to discovered device IPs. It only references env vars matching the declared BLOOMIN8_TOKEN_* prefix and does not instruct reading unrelated system files or secrets.
Install Mechanism
No install spec is provided (instruction-only install), and scripts are bundled with the skill. The included Python scripts require third-party packages (bleak, aiohttp, Pillow) per their docstrings; the registry only lists python3 as a required binary. This is reasonable but means users must manually install dependencies before running the scripts.
Credentials
The only requested credentials are device-scoped tokens (BLOOMIN8_TOKEN_*), which align with the cloud API authentication described. The skill does not request unrelated credentials or unexplained secrets.
Persistence & Privilege
always is false and the skill does not request permanent/global agent modifications. It will perform network and BLE operations, which are expected for its purpose; autonomous invocation is allowed by platform default but not excessive here.
Assessment
This skill appears coherent and implements both cloud and local control as advertised. Before installing or using it: (1) only set BLOOMIN8_TOKEN_* env vars for devices you control (these tokens grant the skill ability to push/cancel remote images); (2) expect to install Python packages (bleak, aiohttp, Pillow) to run local BLE/LAN features — review those packages and their versions; (3) local mode will scan Bluetooth and make HTTP requests to local IPs (normal for device control) — run on a trusted network and be aware of BLE/network permissions; (4) because scripts are bundled but there is no automated install, inspect or pin the code/dependencies you install. If you need higher assurance, request the skill author/source or a signed release and verify package versions before use.

Like a lobster shell, security has layers — review code before you run it.

e-inkvk978axdyhppvfh8xfdjehydeax84dkqeiotvk978axdyhppvfh8xfdjehydeax84dkqelatestvk9719cnbyd0mekgp2bsyvfk24h84c14zsmart-homevk978axdyhppvfh8xfdjehydeax84dkqe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖼️ Clawdis
Binspython3
EnvBLOOMIN8_TOKEN_*

Comments