ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

enzoldhazam

v1.0.1

Control NGBS iCON Smart Home thermostats. Use when the user asks about home temperature, heating, thermostat control, or wants to adjust room temperatures.

0· 1.9k·0 current·0 all-time
by@daniel-laszlo
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (control NGBS iCON thermostats) matches the included code and SKILL.md: the Go client talks to https://www.enzoldhazam.hu, supports login, listing devices and setting thermostat target temperatures. The CLI commands documented (status, get, set, login/logout) align with the implementation.
Instruction Scope
SKILL.md instructs the user/agent to install and run a local CLI and to log in (credentials via macOS Keychain or env vars). The runtime instructions are narrowly scoped to checking status and setting temperatures and require confirming changes with the user. Note: SKILL.md and source rely on credentials (env vars or keychain), but the registry metadata declared no required env vars — this mismatch should be noted.
Install Mechanism
Installation is via git clone + go build from a GitHub repo (https://github.com/daniel-laszlo/enzoldhazam.git). This is a standard source-based install and the skill bundle includes the source files, so the code can be audited before building. Building and running the CLI will execute the included code locally and allow it to access network and the system keyring.
!
Credentials
Although the requested credentials (username/password and optional device serial) are appropriate for controlling a thermostat account, the registry metadata lists no required env vars or primary credential while both SKILL.md and source explicitly accept ENZOLDHAZAM_USER, ENZOLDHAZAM_PASS, and ENZOLDHAZAM_SERIAL and store credentials in the OS keyring. This metadata mismatch could mislead users about what secrets the skill will use. The use of a system keyring is justified for storing credentials but grants the skill access to local credential storage APIs.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide agent settings. It stores/fetches only its own credentials (via keyring or env vars). Agent autonomy (disable-model-invocation=false) is the platform default and not a unique risk here.
Assessment
What to consider before installing: - Functionality: The skill legitimately needs your enzoldhazam.hu account credentials to list and set thermostats. Expect to provide credentials either via ENZOLDHAZAM_USER / ENZOLDHAZAM_PASS (env vars) or by using the CLI login which stores them in your OS keyring. - Metadata mismatch: The registry metadata lists no required env vars, but the README/SKILL.md and code do accept ENZOLDHAZAM_USER/ENZOLDHAZAM_PASS/ENZOLDHAZAM_SERIAL. Don't rely solely on the registry metadata — the skill will use credentials if provided. - Build/run risk: Installation requires cloning a GitHub repo and building a Go binary. Because the code runs locally, review the source (included in the skill) or run it in an isolated environment if you distrust the publisher. The included source appears to only communicate with https://www.enzoldhazam.hu and the Ax endpoint. - Keyring access: The CLI uses the system keyring to store credentials (via zalando/go-keyring). This is normal for convenience, but it means the program will call system credential APIs; if you prefer, use temporary environment variables instead of storing credentials in keychain. - Network behavior: All network calls in the code go to the stated domain (enzoldhazam.hu). There are no other external endpoints or obfuscated network calls in the provided source. - Operational caution: If you are uneasy about an agent invoking the CLI autonomously, consider restricting the skill's access or requiring explicit user confirmation (SKILL.md already advises confirming temperature changes). If you want extra safety, inspect the repository contents yourself before building and run the binary with least privilege or in a sandboxed environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk978cqt13v5hg2vqgxakje9qc57zxh69
1.9kdownloads
0stars
2versions
Updated 2h ago
v1.0.1
MIT-0
@daniel-laszlo
latest
Download

enzoldhazam

Control NGBS iCON Smart Home thermostats via enzoldhazam.hu.

Setup

  1. Install the CLI:
git clone https://github.com/daniel-laszlo/enzoldhazam.git
cd enzoldhazam
go build -o enzoldhazam ./cmd/enzoldhazam
sudo mv enzoldhazam /usr/local/bin/
  1. Login (credentials stored in macOS Keychain):
enzoldhazam login

Or set environment variables:

export ENZOLDHAZAM_USER="your-email"
export ENZOLDHAZAM_PASS="your-password"

Commands

CommandDescription
enzoldhazam statusShow all rooms with temperatures
enzoldhazam status --jsonJSON output for parsing
enzoldhazam get <room>Get specific room details
enzoldhazam set <room> <temp>Set target temperature
enzoldhazam loginSave credentials to Keychain
enzoldhazam logoutClear stored credentials

Examples

# Check current temperatures
enzoldhazam status

# Set a room to 22°C
enzoldhazam set "Living Room" 22

# Get room info as JSON
enzoldhazam get "Bedroom" --json

Instructions

When the user asks about home temperature, heating, or thermostats:

  1. Use enzoldhazam status to check current state
  2. Use enzoldhazam set <room> <temp> to change temperature
  3. Parse --json output when you need to process the data

Always confirm temperature changes with the user before executing.

Comments

Loading comments...