ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Control your vehicle from AI agent

v1.1.2

车辆信息查询技能。查询车辆位置、车况(车锁、车门、车窗、空调、电源状态等)。触发词:查车、车辆位置、车况、我的车在哪。跨平台支持 Linux/macOS/Windows。

0· 92·0 current·0 all-time
byKuikui@lkisme·duplicate of @lkisme/carkey

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lkisme/carkey1.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Control your vehicle from AI agent" (lkisme/carkey1) from ClawHub.
Skill page: https://clawhub.ai/lkisme/carkey1
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install carkey1

ClawHub CLI

Package manager switcher

npx clawhub@latest install carkey1
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The README/SKILL.md and script implement a vehicle information/query skill (location and condition). The package name/title implies "control" but there is no control/actuation API used — only a POST to /iot/v1/condition to fetch status. This naming mismatch is confusing and should be clarified.
Instruction Scope
Runtime instructions are limited to running the included shell script, prompting the user for a token (vehicleToken####accessToken), and caching results. The skill does not instruct reading unrelated system files or exfiltrating arbitrary host data. It does perform network calls to an external API as expected for its purpose.
Install Mechanism
There is no install spec — this is an instruction-only skill with an included shell script. Nothing in the package downloads or executes additional remote code. Risk is limited to executing the provided script locally.
!
Credentials
The skill asks the user for sensitive tokens (vehicleToken and accessToken) and stores them (and a query history) in plaintext files under the user's home directory (~/.carkey_cache.json and ~/.carkey_history.json). While no other credentials are requested, persisting tokens locally (and automatically sending them to an external API) is a privacy/security concern and should be justified/managed (e.g., encryption, TTL, manual deletion).
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does create per-user cache and history files in the home directory, which is normal for CLI tools but is persistent and contains sensitive tokens.
What to consider before installing
This skill appears to be a vehicle-status query tool, not a remote-control tool — but the package title is misleading. Before installing: (1) confirm you trust the backend host (https://openapi.nokeeu.com) because your access token and vehicle token will be sent there; (2) be aware tokens and query history are stored in plaintext under your home directory (~/.carkey_cache.json and ~/.carkey_history.json) — delete or secure these files if you don't want persistent credentials; (3) if you need stronger guarantees, request the publisher's homepage or documentation, test with non-production/test credentials, or avoid giving real tokens until you verify the service operator.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d5zbzxcpg7yjkymzp6yen5h83gdw2
92downloads
0stars
1versions
Updated 1mo ago
v1.1.2
MIT-0
Kuikui@lkisme
latest
Download

何时使用

  • 用户查询车辆位置:"我的车在哪"、"查一下车在哪"
  • 用户查询车况信息:"车锁了吗"、"车窗关了吗"、"车辆状态"
  • 用户需要提供认证信息时,引导输入 vehicleToken####accessToken

快速使用

方式 1:绝对路径(推荐 Agent 使用)

# 假设技能安装在 ~/.openclaw/workspace/skills/carkey
~/.openclaw/workspace/skills/carkey/scripts/vehicle-query.sh
~/.openclaw/workspace/skills/carkey/scripts/vehicle-query.sh position
~/.openclaw/workspace/skills/carkey/scripts/vehicle-query.sh condition

方式 2:相对路径(用户手动执行)

cd carkey
./scripts/vehicle-query.sh
./scripts/vehicle-query.sh position
./scripts/vehicle-query.sh condition

认证

格式: vehicleToken####accessToken(4 个 # 分隔)

首次使用会提示输入,自动缓存。

系统缓存路径
Linux/macOS~/.carkey_cache.json
Windows%USERPROFILE%/.carkey_cache.json

状态码

字段值含义
power0=熄火, 1=ACC, 2=ON
gear1=P, 2=N, 3=D, 4=R, 5=S
door/window/trunk0=关闭, 1=开启
lock0=解锁, 1=上锁

错误处理

场景处理
无缓存引导用户提供 token
Token 过期提示重新认证,删除旧缓存
请求失败自动重试 2 次,30 秒超时
缺少依赖提示安装 curl/jq

系统支持

系统依赖安装
Linux (Ubuntu/Debian)sudo apt-get install curl jq
Linux (CentOS/RHEL)sudo yum install curl jq
macOSbrew install curl jq
Windows (Git Bash)已包含
Windows (WSL)wsl sudo apt-get install curl jq

文件结构

carkey/
├── SKILL.md              # 本文档
├── README.md             # 详细说明
├── _meta.json            # 元数据
└── scripts/
    └── vehicle-query.sh  # 查询脚本(跨平台)

Comments

Loading comments...