ClawHub

box2robot-skills

v1.0.7

Control Box2Robot robotic arms via cloud API — move servos, record trajectories, calibrate, camera, voice, and orchestrate AI training/inference.

1· 53·0 current·0 all-time
by@boxjod
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required env vars (B2R_TOKEN, B2R_SERVER, B2R_DEVICE), required binary (python3), install dependency (aiohttp), and the included Python CLI (b2r.py) all align with a cloud‑API robotic control CLI.
Instruction Scope
SKILL.md and the CLI source instruct only HTTP calls to the configured server and local token file; the README and SKILL.md clearly document device control, camera/microphone access, and destructive operations and warn about human supervision. The runtime instructions do not request unrelated system files or credentials.
Install Mechanism
The install spec only requires the aiohttp Python package (uv entry), which is proportionate for an async HTTP CLI. No arbitrary URL downloads or archive extraction are used.
Credentials
Only B2R_TOKEN, B2R_SERVER, and B2R_DEVICE are required; the primary credential is B2R_TOKEN (a JWT) which is appropriate for a cloud API client. Token persistence is local (~/.b2r_token) with owner‑only file permissions as documented. Note: B2R_SERVER is overridable via env, so a user could accidentally point the CLI at an untrusted server.
Persistence & Privilege
always:false (good). However, model invocation is not disabled (disable-model-invocation=false), so an agent could call this skill autonomously. Because the skill moves hardware and accesses camera/microphone, operators should avoid enabling autonomous runs without strict supervision or policy controls.
Assessment
This skill appears internally consistent with a cloud‑API robotic arm CLI: it needs a JWT (B2R_TOKEN), the server URL, and optionally a device ID, and it installs only aiohttp. Important operational cautions: (1) Treat the saved JWT (~/.b2r_token) like an SSH key — rotate and delete it if compromised. (2) Do not allow autonomous, unsupervised invocation of this skill (it can move servos and access camera/microphone); consider disabling autonomous use or only granting it in supervised contexts. (3) Only use a trusted B2R_SERVER — the env var can be changed to point the client at a different endpoint, which would let that endpoint accept commands or collect data. (4) Review the b2r.py file yourself before installing, and if possible prefer passing a short‑lived token via B2R_TOKEN rather than leaving a long‑lived token on disk. If you need higher assurance, ask the publisher for provenance (the package source is unknown) or run the code in a restricted environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk975pk16d0ztj52d0veghxsh49852f4f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
Any binpython3, python
EnvB2R_TOKEN, B2R_SERVER, B2R_DEVICE
Primary envB2R_TOKEN

Install

uvuv tool install aiohttp

Comments