ClawHub

Duwi Smart Home

v1.0.5

迪惟智能家居技能,基于 Duwi 开放平台 API,支持设备控制、场景执行、状态查询等功能

1· 48·0 current·0 all-time
by迪惟科技@duwi2024
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the code: the package implements a Duwi API client, CLI, and device handlers for home automation. One minor mismatch: the registry metadata declares no required credentials, but the SKILL.md and code require an APPKEY and SECRET (saved to app_config.json) to operate. That omission in metadata is notable but not malicious.
Instruction Scope
Runtime instructions are limited to configuring APPKEY/SECRET, logging in with a phone/password (to obtain access tokens), choosing a house, and issuing device/scene commands. The code only accesses local files in the skill directory (app_config.json, token_cache.json, config.json, .cache) and the Duwi API at https://openapi.duwi.com.cn/homeApi/v1. There are no instructions to read unrelated system files or send data to third‑party endpoints outside the documented API.
Install Mechanism
This is an instruction + code skill with no install spec (no automated downloads). It lists a simple requirements.txt (requests). No archived downloads, custom installers, or obscure URLs are present.
Credentials
The skill legitimately needs application credentials (APPKEY and SECRET) and user login (phone/password) to call the Duwi API. However, those credentials are not declared in the registry metadata (no primary credential or required env vars), which reduces transparency. The code stores credentials/tokens locally (app_config.json, token_cache.json) and attempts to set restrictive file permissions (chmod 0o600).
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It persists only its own configuration and token files in its script directory; it does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it claims: it talks to Duwi's open API and stores local app credentials and login tokens. Before installing, consider the following: (1) confirm you trust the skill source — registry metadata lacked a declared primary credential even though the skill needs APPKEY/SECRET; (2) the skill will save APPKEY/SECRET in app_config.json and access tokens in token_cache.json in the skill folder (the code tries to set file permissions to 600); if you are concerned, run the skill in an isolated environment or review/rotate credentials after use; (3) verify the API base URL (https://openapi.duwi.com.cn/homeApi/v1) matches the official Duwi documentation you expect; (4) avoid providing your account password unless you trust the environment — the CLI stores tokens but not the user password; (5) if you require stricter guarantees, request the publisher/source and sign or vet the code before granting the agent autonomous access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ce7zn8qj96szhh7v2a69d4584cy04

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments