ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

BYD Remote Control

v1.0.0

Control and check a BYD vehicle using portable Python helper scripts built on pyBYD. Use when the user wants to check battery state, lock the car, flash ligh...

0· 12·0 current·0 all-time
by@hiimivantang
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The scripts and SKILL.md behavior (battery checks, lock, flash lights, start/stop A/C) match the advertised purpose and rely on the pyBYD library as expected. However, the registry metadata lists no required environment variables or primary credential while the included setup.md and code require BYD_USERNAME, BYD_PASSWORD and BYD_PIN/ BYD_CONTROL_PIN — a clear mismatch between declared requirements and actual needs.
Instruction Scope
The runtime instructions are narrow and consistent with the stated purpose: they instruct the user to run bundled Python scripts which load a .env file from the scripts directory and call the pyBYD client API. The scripts only read their local .env and environment variables, select a vehicle (or default to the first), and invoke vehicle commands; they do not attempt to read unrelated system files or exfiltrate data to unexpected endpoints in the provided code.
Install Mechanism
There is no automated install spec; the README instructs the user to install the pybyd Python dependency manually. No remote downloads, extract operations, or obscure URLs are present in the package. The lack of an install script reduces automated risk but shifts responsibility to the user to install pybyd from a trusted source.
!
Credentials
The code requires sensitive credentials (BYD_USERNAME, BYD_PASSWORD) and a control PIN (BYD_PIN or BYD_CONTROL_PIN) loaded from a local .env, but the skill metadata declares no required environment variables or primary credential. That omission is an incoherence: the skill will not function without secrets, and the registry entry does not warn users that secrets are required or will be read from disk. This increases the risk of accidental exposure if a user installs or runs the skill without understanding where to store credentials.
Persistence & Privilege
The skill does not request persistent platform privileges (always: false) and does not modify other skills or system-wide settings. It only reads a .env file from its own directory and environment variables; it does not create long-lived background services or write to unrelated system paths.
What to consider before installing
This package appears to do what it says (control BYD vehicles via pyBYD), but the registry metadata is incomplete: the scripts require BYD_USERNAME, BYD_PASSWORD and a control PIN (BYD_PIN or BYD_CONTROL_PIN) stored in a .env in the skill's scripts directory. Before installing or running: 1) Verify the source/trustworthiness of the skill and the pyBYD package (install pyBYD only from its official repository or PyPI after checking it). 2) Do not place your primary BYD credentials in world-readable locations; prefer running the scripts in an isolated environment or container and store .env with strict file permissions. 3) Consider creating a limited or test BYD account if possible, and set BYD_VIN or BYD_VEHICLE_ALIAS to ensure commands target the intended vehicle (the scripts default to the first vehicle returned if unset). 4) If you expect the registry to declare required secrets, ask the publisher to update metadata to list required env vars/primary credential. The mismatch between metadata and code is the primary reason for caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ff0ckmmztvmcqy1ey6ev29858qjd
12downloads
0stars
1versions
Updated 3h ago
v1.0.0
MIT-0
@hiimivantang
latest
Download

BYD Remote Control

Use the bundled Python scripts in scripts/ for repeatable BYD actions instead of rewriting the same pyBYD code each time.

Available scripts

  • scripts/battery_check.py , fetch battery %, range, charging state, and timestamps as JSON
  • scripts/battery_monitor.py , fetch battery state and emit an alert payload when battery is below BATTERY_THRESHOLD
  • scripts/lock_car.py , lock the vehicle
  • scripts/flash_lights.py , flash lights / horn
  • scripts/start_ac.py , start climate control
  • scripts/stop_ac.py , stop climate control
  • scripts/byd_common.py , shared helper module used by the scripts

How to use

  1. Read references/setup.md if credentials or dependencies are not already configured.
  2. Run the relevant script from the skill directory so .env is discovered correctly.
  3. Prefer the existing script over ad hoc inline Python when the task matches one of the bundled actions.

Notes

  • The scripts load .env from the same directory as the scripts.
  • BYD_PIN is automatically bridged to BYD_CONTROL_PIN.
  • Vehicle selection can be controlled with BYD_VIN or BYD_VEHICLE_ALIAS. If neither is set, the scripts use the first vehicle returned by the account.
  • battery_monitor.py prints alert JSON when below threshold. Delivery should be handled by the caller or automation layer.

Comments

Loading comments...