ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Garden Irrigation

v1.0.1

Prototype smart irrigation skill scaffold for greenhouse and outdoor zones using Tuya sensors and weather data.

0· 96·0 current·0 all-time
by@bowlderstudio

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for bowlderstudio/garden-irrigation.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Garden Irrigation" (bowlderstudio/garden-irrigation) from ClawHub.
Skill page: https://clawhub.ai/bowlderstudio/garden-irrigation
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install garden-irrigation

ClawHub CLI

Package manager switcher

npx clawhub@latest install garden-irrigation
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the code: it reads soil sensors, fetches weather, makes irrigation decisions and can request valve actuation. However the declared metadata says no required env/config and 'instruction-only', yet the package contains runnable code and relies on an external 'tuya-cloud' skill and Tuya credentials (mentioned in README). The skill should have declared those dependencies and required env vars; their absence is an incoherence.
Instruction Scope
Runtime scripts stay within the stated domain (read sensors via tuya-cloud, call Open-Meteo, write local JSONL reports, optionally call valve control). They also include helpers to emit OpenClaw tool-call markers to send notifications. They do not access unrelated system files or secrets directly, but they do call a controller script from another skill (subprocess) which delegates behavior outside this package.
Install Mechanism
There is no install spec (instruction-only metadata), and no external download/install instructions in the manifest; code is included directly. This is low install-surface risk. Note: the code will execute an external script from the 'tuya-cloud' skill via subprocess, so you must ensure that other skill's code is trustworthy.
!
Credentials
Metadata declares no required environment variables, but README and code expect Tuya credentials (TUYA_ACCESS_ID, TUYA_ACCESS_SECRET, TUYA_API_ENDPOINT) via the tuya-cloud integration and may rely on OPENCLAW_AGENT_ID at runtime to determine environment context. The system config also contains bot_account_id/bot_target placeholders used to send messages. Missing declaration of these required credentials/configs is a mismatch and increases risk if users assume no secrets are needed.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills' configuration. It writes logs and reports into a configurable data directory (config.storage.base_dir), which by default points outside the skill directory ('../data') — this is normal for an app but worth noting. Autonomous invocation (disable-model-invocation=false) is the platform default and not by itself a red flag here.
What to consider before installing
This skill appears to implement a reasonable irrigation prototype, but the package metadata is inconsistent with what the code actually needs. Before installing or running it: 1) Ensure the dependent tuya-cloud skill is installed and inspect its tuya_controller.py — the TuyaClient calls that script via subprocess, so that other skill's code will execute on your machine. 2) Provide and protect Tuya credentials (TUYA_ACCESS_ID, TUYA_ACCESS_SECRET, TUYA_API_ENDPOINT) as instructed by tuya-cloud; the skill’s metadata did not declare these required env vars. 3) Review and, if needed, change config/system.json reporting.bot_account_id and bot_target so the skill will not send notifications to unknown endpoints. 4) Be aware the skill writes data to disk (data/ or configured base_dir, default ../data) — confirm the path is acceptable. 5) Run initially in a safe environment (no real valves attached or with automation disabled / require_confirmation enabled) until you verify behaviour. If you want a cleaner trust boundary, ask the author to update the skill metadata to list required env vars, required config paths, and the dependency on tuya-cloud explicitly.

Like a lobster shell, security has layers — review code before you run it.

latestvk974t718mj0s3xc71bjcaav90d84q41b
96downloads
0stars
2versions
Updated 2w ago
v1.0.1
MIT-0
@bowlderstudio
latest
Download

garden-irrigation

This skill scaffold:

  • reads soil sensors from the existing skills/tuya-cloud
  • fetches weather history and forecast
  • creates per-zone irrigation plans
  • stores logs and reports under /data/workspace-garden_manager/garden-irrigation/data

Current status:

  • planning and logging implemented
  • live valve actuation not enabled yet

Comments

Loading comments...