Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Morning Wakeup Automation
v1.0.0晨间唤醒自动化流程,每天早上获取当天天气后自动匹配对应的Sonos播放预设播放音乐。使用场景:设置每日晨间唤醒、天气自适应音乐播放、家庭自动化晨间例程。
⭐ 0· 16·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the delivered artifacts: the script fetches weather from Open‑Meteo and drives Sonos via the sonos CLI. The declared install of sonoscli (go) is appropriate. The additional clawhub (npm) requirement is reasonable for scheduling/cron integration though the runtime script itself does not call clawhub directly (this is a small mismatch but explainable).
Instruction Scope
SKILL.md and scripts limit actions to calling Open‑Meteo (no API key), running local sonos CLI commands, and optionally scheduling via OpenClaw cron. The Node script executes shell commands (execSync) to call the sonos binary; the script includes a basic shell-escaping helper for single quotes. There is no code that reads arbitrary host files or exfiltrates data to external endpoints beyond the weather API.
Install Mechanism
Install uses public registries: a Go module (github.com/steipete/sonoscli) and an npm package (clawhub). These are standard package sources. Minor reproducibility/security note: the Go module uses @latest which installs the newest release/version at install time.
Credentials
No environment variables, secrets, or config paths are requested. Troubleshooting guidance mentions music service accounts (Spotify/Apple) but the skill does not require or store their credentials; this is proportionate.
Persistence & Privilege
Skill does not request always:true and does not modify other skills or system-wide settings. Scheduling is optional via OpenClaw cron and is a reasonable mechanism for the described use-case.
Assessment
This skill appears to do only what it says: fetch weather from Open‑Meteo and run the Sonos CLI to play presets. Before installing, consider: (1) the install will fetch a Go module and an npm package from public registries — review those projects if you require total supply-chain assurance; (2) the script executes shell commands (execSync) to run the sonos binary — avoid passing untrusted strings into --speaker or custom mappings without review; (3) it makes outbound HTTPS calls to api.open-meteo.com (no API key), and requires local network access to reach Sonos devices; (4) if you plan to schedule it via cron, confirm the referenced file path is correct and run in an environment with appropriate network/isolation settings. If you need extra assurance, run the script in a sandboxed machine or inspect the listed packages' source before installing.scripts/wakeup.js:159
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk975twwp2k0xgsa8yymperm5kx84fk0r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binssonos, clawhub
Install
Install sonoscli (go)
Bins: sonos
go install github.com/steipete/sonoscli/cmd/sonos@latestInstall ClawHub CLI (npm)
Bins: clawhub
npm i -g clawhub