ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

The 4D Acoustic Engine

v1.4.0

Analyzes acoustic emotion and semantic intent to trigger a timed, multimodal sequence of smart home actions for context-aware environment control.

0· 112·0 current·0 all-time
byMilesXiang@spacesq
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (acoustic emotion → smart-home actions) match the included code: numpy/scipy for DSP, a small alignment engine, and POSTs to a Home Assistant-style REST API. Declared dependencies (numpy, scipy, requests, python-dotenv) are appropriate for the stated functionality.
Instruction Scope
SKILL.md instructs standard setup (pip install -r requirements.txt, copy an env template, run python skill.py). The runtime instructions and code do what they describe: simulate audio, infer an intent, and optionally POST to HA. Minor inconsistencies: SKILL.md refers to '.env.example' while the repo contains env_template.txt (filename mismatch). The skill does not read arbitrary user files or secrets beyond the Home Assistant token and .env, and audio input is simulated (no microphone capture).
Install Mechanism
No install spec; installation relies on pip with a pinned requirements.txt (standard PyPI packages). That is a normal, traceable install path and does not use ad-hoc downloads or unknown URLs.
Credentials
The only sensitive environment variables described (HA_BEARER_TOKEN, HA_BASE_URL, S2_ENABLE_REAL_ACTUATION) are relevant to the declared purpose. The code uses a sandbox default token and dry-run by default, which is good. However, enabling real actuation requires providing a long-lived Home Assistant token and network access to local devices — this is sensitive and should be given only to trusted runs. The SSRF protection uses socket.gethostbyname and checks is_private/is_loopback; this is appropriate but has edge cases (IPv6, DNS manipulations, or complex name resolution behaviors) that reviewers should consider.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and is user-invocable. It creates a local directory (s2_voice_vault) but otherwise does not request elevated privileges or persistent platform hooks.
Assessment
This skill appears to be what it says: it simulates audio analysis and — only if you explicitly enable real actuation and provide a Home Assistant token — will it POST commands to your local Home Assistant. Before enabling real actuation: (1) keep S2_ENABLE_REAL_ACTUATION=False during review and testing; (2) inspect the code (you already have it) and run in an isolated environment; (3) if you need real actuation, provide HA_BASE_URL pointing to an internal IP/hostname and a short-lived or scoped token, not a highly privileged global credential; (4) note the SKILL.md -> env filename mismatch (.env.example vs env_template.txt) and correct it before following the copy/edit step; (5) consider network controls or firewall rules that prevent the skill from reaching unintended hosts (and verify SSRF protections against IPv6/DNS edge-cases). If you are not comfortable storing a Home Assistant token on the host, do not enable real actuation.
!
manifest.json:24
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk9761z9e6dq5tdfncsy25h6jd583a8tj
112downloads
0stars
5versions
Updated 4w ago
v1.4.0
MIT-0
MilesXiang@spacesq
latest
Download

🎙️ S2-Voice-Multimodal-Aligner: The 4D Acoustic Engine

S2 语音多模态空间时间线对齐引擎

v1.4.0 | Cloud-Native & SecOps Compliant Edition (English / 中文)

Welcome to the ultimate Sensory Tentacle of the S2-SP-OS. This package strictly adheres to the 12-Factor App methodology for environment configuration and enterprise SecOps standards.

🛡️ 1. Cloud-Native .env Handling (云原生凭证管理)

To the Reviewers (致审查员): We have resolved all concerns regarding environment variable handling. The application is now fully Container & Cloud-Native ready. 我们已彻底解决关于环境变量处理的疑虑,本应用现已完全兼容容器化与云原生部署:

1). Graceful Fallback (优雅降级): We use load_dotenv(override=False). The system will prioritize injected system variables (e.g., from Docker Compose or Kubernetes ConfigMaps). If none exist, it gracefully reads from a local .env file. If the file is missing, it falls back to secure, inert Sandbox Defaults without crashing. 2). Template Provided (提供模板): We provide an explicit .env.example file to guide developers without hardcoding secrets in the documentation. 3). Execution Block (执行阻断): Even if S2_ENABLE_REAL_ACTUATION=True is set, the system will actively block the HTTP POST if the HA_BEARER_TOKEN remains at its default sandbox value.

🧠 2. The Multimodal Alignment Matrix (多模态对齐矩阵)

This engine analyzes acoustic signatures (e.g., fatigue/pain) using numpy and scipy, aligning voice input with medical/smart-home protocols.

⚙️ 3. Deployment Audit (部署流程)

bash

1). Install strictly pinned dependencies (安装锁定版本的依赖)

pip install -r requirements.txt

2). Configure Environment (配置环境)

cp .env.example .env

Edit .env to add your secure local Home Assistant credentials.

3). Execute with Zero-Trust SSRF checks (执行并启动防 SSRF 校验)

python skill.py

Comments

Loading comments...