Openclaw Aligenie Push

Things to consider before installing: - Manifest vs implementation: The package code expects ALIGENIE_PUSH_SERVER, ALIGENIE_APP_ID, ALIGENIE_APP_SECRET and ALIGENIE_DEVICE_OPEN_ID but the skill registry lists no required env vars or config paths — ask the publisher to correct the manifest so you know what secrets will be needed. - DEPLOY inconsistency: DEPLOY.md describes a Java PushServer and compiled class files, but the package contains a Python Flask push-server.py. Confirm which server you are expected to run and obtain the correct, trusted server binary/source. - Network exposure: DEPLOY.md instructs opening port 58472 to 0.0.0.0/0. Exposing a custom HTTP endpoint to the public internet is risky. If you must expose it, restrict source IPs in the security group, require TLS, and put authentication in front of the endpoint (API key, mutual TLS, or VPN). - Secrets handling: The design permits sending AppSecret in the HTTP request body to the push server. Only run the push server on infrastructure you fully control and access over TLS. Prefer storing secrets in environment variables or a secrets manager (not in plain TOOLS.md in your home dir). Rotate AppSecret if it may have been exposed during testing. - Verify code: Review push-server.py and push.py to ensure they only call the documented Aligenie endpoints and do not forward credentials to other endpoints. Use the provided mock-server.py for local testing first. - Request fixes: Ask the publisher to (1) update the skill metadata to declare required env vars and config paths, (2) fix DEPLOY.md to match the provided server implementation, and (3) avoid advising 0.0.0.0/0 exposure without recommending authentication and TLS. If these issues are addressed (manifest corrected, deployment instructions fixed, and a secure deployment pattern enforced), the skill's behavior is coherent with its purpose. Until then, treat it with caution.