ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Blueair Expert

Use when managing Blueair air purifiers, checking indoor air quality, or responding to respiratory discomfort complaints. Acts as a domain expert for indoor...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 26 · 0 current installs · 0 all-time installs
by@you96
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code (get_status, set_state, BlueairAwsApi, Gigya client, and region routing) aligns with the stated purpose of managing Blueair devices and reading sensors. The author included Gigya/AWS config (public API keys + API gateway IDs) in config.js which is expected for a client talking to Blueair's cloud APIs. No unrelated cloud providers, exotic binaries, or other service credentials are requested in the code.
Instruction Scope
SKILL.md instructs the agent to run local CLI scripts (node dist/get_status.js and node dist/set_state.js) and to use ~/.blueair/config.json or env vars for credentials. That scope is limited to device status/control. Two items to note: (1) the skill's metadata and README encourage storing username/password in ~/.blueair/config.json (plaintext on disk) which is a privacy risk; (2) SKILL.md says the skill may act proactively (suggest actions even if the user didn't ask), which is behavioral scope creep you should be comfortable with.
!
Install Mechanism
The registry entry claims 'No install spec — instruction-only', but the package contains package.json, package-lock.json, compiled dist/ files and TypeScript sources — i.e., this is a code bundle that expects 'npm install' and running node scripts. That mismatch is an incoherence: the skill is not purely instruction-only. The install method is npm (dependencies from the public npm registry), which is a moderate trust surface but expected for Node CLI projects. There are no arbitrary URL downloads or inline/extracted archives.
Credentials
The code legitimately requires Blueair account credentials (username/password) and optionally BLUEAIR_REGION; these are proportional to the function. However, the registry metadata listed 'required env vars: none' while SKILL.md indicates 'credentials_required: true' and the scripts read ~/.blueair/config.json or BLUEAIR_USERNAME/PASSWORD. Also the README recommends storing credentials on disk in plaintext; you should be aware of that and prefer env vars or a dedicated low‑privilege account.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not contain code that attempts persistent system-wide changes beyond reading ~/.blueair/config.json and opening network connections to Blueair/Gigya/API Gateway endpoints. It sets up a local MCP server in dist/index.js but that runs only if you start it.
What to consider before installing
This package appears to be a legitimate Blueair client, but there are a few things to check before installing: - Source trust: the skill's Source/Homepage is unknown. Prefer skills published from a known Github/org or author. Ask the publisher for provenance or a repo link. - Install behavior: although the registry says 'instruction-only', the bundle contains package.json and compiled JS — you will need to run 'npm install' which will install dependencies from the public npm registry. Review package-lock.json if supply-chain risk concerns you. - Credentials: the scripts read credentials from ~/.blueair/config.json (plaintext) or BLUEAIR_USERNAME/PASSWORD env vars. Consider using a dedicated low‑privilege Blueair account or using env vars and a secure secrets store rather than a plaintext file. - Network endpoints: the code talks to Gigya and Blueair API Gateway endpoints (config.js contains public Gigya API keys and AWS API IDs). That is expected for this client, but verify these endpoints look correct for Blueair and that no other unexpected remote hosts are contacted. - Proactive actions: the agent is designed to suggest/perform actions (e.g., change fan speed) when it detects poor air quality. Confirm you want an agent that can take actions without an explicit command, or require confirmation before changing device state. If you want higher assurance: request the upstream repository URL and a reproducible build, manually audit scripts/api/, or run test-login.js with a throwaway Blueair account in an isolated environment to observe behavior. If you are uncomfortable with installing npm packages or storing credentials in plaintext, do not install the skill.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.1
Download zip
latestvk9702pfdwj0mcfpyfw2c1egbw9830r7k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Blueair Expert (Indoor Air Quality Specialist)

You are a senior specialist in indoor air quality and Blueair hardware. Your goal is to help the user maintain a healthy breathing environment with minimal friction.

Core Capabilities

  1. Environmental Insight: Interpret PM2.5, VOC, Temperature, and Humidity data correctly.
  2. Device Mastery: Control fan speed, auto mode, child lock, and standby states.
  3. Proactive Health: Suggest actions when sensors detect poor air quality, even if the user didn't ask directly.

Rules for Interaction

1. Unified Household View

When asked about status, always run the local CLI script: node dist/get_status.js

Aggregate the results into a concise "household summary" rather than listing technical JSON.

2. Expert Interpretation (Non-Technical)

Do not just report numbers. Translate them into health impact:

  • PM2.5 < 12: Excellent
  • PM2.5 12-35: Good
  • PM2.5 35-75: Moderate (Suggest turning on)
  • PM2.5 > 75: Unhealthy (Strongly suggest maximum speed)

3. Contextual Reasoning

If the user says they are "sleepy" or "stuffy", check VOC and CO2 (if available) or simply check if the fan is in Auto mode.

Workflow Patterns

Checking Status

  1. Run node dist/get_status.js inside the skill directory.
  2. Summarize: "Room [A] is Excellent, Room [B] is a bit stuffy (High VOC)."
  3. Suggest: "Shall I boost the fan in Room [B]?"

Implementing Controls

  1. Confirm the intent.
  2. Run node dist/set_state.js <uuid> <attribute> <value> with appropriate UUID and mapping:
    • "Turn off" -> node dist/set_state.js <uuid> standby true
    • "Auto mode" -> node dist/set_state.js <uuid> automode true
    • "Max speed" -> node dist/set_state.js <uuid> fanspeed 3 (check model-specific speed ranges, typically 1-3)

Pre-requisites & Auth

If the script returns a "Credentials missing" error, politely ask the user to provide their Blueair login email and region, or guide them to configure ~/.blueair/config.json.

Files

27 total
Select a file
Select a file to preview.

Comments

Loading comments…