ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Lifx

v1.0.1

Control LIFX smart lights via natural language. Toggle, set colors/brightness, activate scenes, create gradients on multi-zone devices.

0· 719·0 current·1 all-time
byJ@stillstellung
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (LIFX control) match the scripts and README. The skill legitimately needs a LIFX API token and uses the LIFX HTTP API. Minor inconsistency: the registry metadata lists no required binaries, but the README and scripts expect curl, jq, and python3 (and the Python code requires the requests library).
Instruction Scope
SKILL.md instructs the agent to run the included scripts (setup.sh, lifx-api.sh, scene-status.py) and to use the LIFX API. The scripts only call the LIFX API endpoints (api.lifx.com) and read/write local skill files (.lifx-token, SKILL.md). There are no instructions to read unrelated system files or send data to other external endpoints.
Install Mechanism
No install spec (instruction-only) and all runtime code is included in the skill bundle — no network installs or archive extraction. This is low-risk from an install-mechanism perspective.
Credentials
Only LIFX_TOKEN is required (declared and used). The token is used exclusively to authenticate to the LIFX API. No unrelated credentials or environment variables are requested.
Persistence & Privilege
Not set to always:true and does not modify other skills. However, setup.sh persists your token to a local file (.lifx-token) and rewrites SKILL.md to include your device context (room names, group IDs, scene UUIDs). This is expected for the stated functionality but is persistent storage of sensitive info and device metadata.
Assessment
This skill appears to do what it says: it uses your LIFX token to call the official LIFX API and manage lights. Before running setup.sh, review the scripts (they are included) and be aware that setup.sh will save your token to .lifx-token in the skill directory and generate a SKILL.md containing your room names, group IDs, and scene UUIDs. Recommendations: (1) Use a dedicated LIFX personal access token (revokable) rather than a long-lived account credential. (2) After setup, consider whether you want the token stored on disk; if not, remove .lifx-token and export LIFX_TOKEN at runtime. (3) Ensure your system has curl, jq, python3, and the Python requests package installed — the metadata did not declare these dependencies. (4) The scene-status.py file has an absolute Python shebang (/storage/venv/bin/python3) but the scripts invoke python3 explicitly; you can run it with your system python3 to avoid the hardcoded path. (5) Only install this skill in environments you trust, since SKILL.md will contain readable device and scene identifiers that could reveal household device topology if the skill directory is shared or backed up.

Like a lobster shell, security has layers — review code before you run it.

latestvk979tj3rd81wqd13pmyey9e7t981jpr6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💡 Clawdis
EnvLIFX_TOKEN

Comments