Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
smartpi-iot
v1.0.0智能公元 IoT 设备控制插件。可控制灯光、加湿器、窗帘等设备,支持查询设备状态。
⭐ 0· 138·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes an IoT control skill (lights, humidifier, curtains) and only needs curl plus two credentials (SMARTPI_TOKEN and SMARTPI_DEVICE_KEY), which is coherent with the stated purpose. However, the registry metadata at the top of the submission listed 'Required env vars: none' while the embedded SKILL.md metadata and instructions require two environment variables — this mismatch is inconsistent.
Instruction Scope
Instructions only show curl POSTs to the documented API and provide an optional helper script to write under ~/.openclaw/workspace/skills/smartpi-iot/scripts/iot-control.sh. The skill does not instruct reading unrelated system files or exfiltrating data to unexpected endpoints. The script does persist a file under the user's OpenClaw workspace (which is normal for a skill), but that write location was not listed in the top-level registry 'required config paths', another small inconsistency.
Install Mechanism
This is an instruction-only skill with no install spec or remote downloads; required binary is curl. That is low-risk from an install/execution perspective.
Credentials
The two environment variables requested by SKILL.md (SMARTPI_TOKEN, SMARTPI_DEVICE_KEY) are appropriate for IoT API access and are proportionate. The concern is that the skill registry summary omitted these requirements (listed 'none'), so the platform-level metadata does not match the runtime instructions. Also the SKILL.md uses plaintext environment interpolation in curl commands; users should avoid exposing tokens in logs/command history and use platform secret storage where available.
Persistence & Privilege
The skill does not request always:true and uses normal user-invocable/default autonomous invocation. It does suggest creating a helper script in the user's OpenClaw workspace (local to the agent), which is reasonable and limited in scope. The skill does not ask to modify other skills or system-wide settings.
What to consider before installing
Before installing: 1) Note the mismatch between the registry summary (which declared no required env vars) and the SKILL.md (which requires SMARTPI_TOKEN and SMARTPI_DEVICE_KEY). Confirm the platform will store those secrets in a secure secret store rather than exposing them in logs or shell history. 2) Verify the API hostname (https://mcp.aimachip.com) is legitimate and intended for your SmartPi devices — the skill homepage is smartpi.cn but the API uses aimachip.com, which could be legitimate (third‑party backend) but should be confirmed. 3) Prefer creating a short-lived or least-privilege token for this skill and avoid reusing high‑privilege tokens (e.g., admin keys). 4) Because the SKILL.md suggests writing a script to ~/.openclaw/workspace, review that file after creation and ensure it has appropriate permissions (no world-readable tokens). 5) If you allow autonomous invocation, be aware the agent could call the API whenever triggered; consider limiting invocation or testing first with a non-critical device. If anything about the origin or endpoints cannot be verified, treat the skill as untrusted and do not provide real credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97dzbbhhssvb9smy5n9esj0n1834e5y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏠 Clawdis
Binscurl