ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Philips Hue

v1.0.1

Local control of Philips Hue lights via API v1.

0· 639·2 current·2 all-time
by@aprilox
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the provided code: hue.sh implements local Philips Hue API v1 calls. Minor inconsistency: SKILL metadata and SKILL.md list 'jq' as a required binary, but the script does not call jq. Also, registry 'required env vars' is empty while SKILL.md instructs the user to create a local .env with BRIDGE_IP and USERNAME (this is a local config file, not platform-level env vars).
Instruction Scope
SKILL.md instructs only local setup (press bridge button, create .env) and use of hue.sh. The script sources .env from its own directory and performs HTTP calls to the local bridge IP only. There are no instructions to read unrelated files, access other system configs, or transmit data to external endpoints.
Install Mechanism
No install spec (instruction-only skill) and the included hue.sh is bundled with the skill. Nothing is downloaded or extracted from external URLs; risk from install mechanism is low.
Credentials
The skill requires BRIDGE_IP and USERNAME (Hue API key) stored in a local .env file — appropriate and proportionate for local Hue control. The registry declares no required platform env vars, which matches that secrets are stored in a local .env rather than requested from the platform. Minor mismatch: SKILL.md/metadata lists 'jq' as required though it's unused.
Persistence & Privilege
The skill does not request persistent platform privileges (always: false). It doesn't modify other skills or system-wide settings and only reads a .env from its own directory. Autonomous invocation is allowed by default (normal) but not combined with other concerning behavior.
Assessment
This skill appears to do exactly what it says: control a local Philips Hue Bridge using a small shell script. Before installing: (1) review hue.sh (it’s short and readable) and confirm it will call only your local BRIDGE_IP; (2) understand the script expects a .env file in the skill directory with BRIDGE_IP and USERNAME (Hue API key) — do not put other secrets there; (3) the SKILL.md/metadata mention jq but the script doesn't use it (safe but unnecessary); (4) pair your bridge by pressing its physical button as documented; (5) run the script with minimal privileges (don’t run as root) and ensure your Hue Bridge is on a trusted LAN segment (don’t expose it to the Internet). If you want extra assurance, run the script in a controlled environment and monitor network calls to ensure no unexpected external endpoints are contacted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cj6x2bgx4pp20xtk1tg2djn81j8z4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💡 Clawdis
Binscurl, jq, python3

Comments