ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

云智联 IoT 设备管理 API

v1.1.0

云智联 IoT 传感器数据查询。一句话说就能获取传感器数据,如"帮我看看土壤湿度传感器数据"、"查看设备状态"、"获取所有设备"。用户只需提供 API Key 即可使用。

0· 10·0 current·0 all-time
by@yzlkj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description (云智联 IoT 设备管理 API) matches the included code: tool.py queries an external IoT API (https://open.yzlkj.com) for devices, device details, and history. However, the registry metadata lists no required environment variables or primary credential while both SKILL.md and tool.py clearly require YZLIOT_API_KEY. That metadata omission is an inconsistency (the capability logically needs an API key).
Instruction Scope
SKILL.md instructs the user to set YZLIOT_API_KEY and run python3 tool.py with simple commands (ping, all, list, device, history). The runtime instructions and tool.py are narrowly scoped: they only read the single env var YZLIOT_API_KEY and perform HTTP(S) requests to the BASE_URL and return/print results. The instructions do not ask to read other files, system secrets, or send data to unexpected endpoints.
Install Mechanism
There is no install spec (instruction-only with an included tool.py). No external downloads, package installs, or archive extraction occur. The only runtime requirement is that Python 3 be available to run tool.py.
!
Credentials
The tool requires a single API credential via environment variable YZLIOT_API_KEY (used as header 'YZLIOT-APIKEY'), which is appropriate for an API client. However, the skill registry metadata did not declare this required env var or a primary credential, creating a mismatch between declared requirements and actual runtime needs. This can cause unexpected behavior or confusion and should be corrected before installation. No other secrets or unrelated credentials are requested.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not modify other skills or system configuration, and does not write files or install services. It only runs ad hoc network calls when executed.
What to consider before installing
What to consider before installing: - The code and SKILL.md require an API key set in the environment variable YZLIOT_API_KEY, but the skill registry metadata does not declare this; expect to provide that secret manually. - The tool makes HTTPS requests to https://open.yzlkj.com. Verify that this domain is the genuine cloud service you trust and that the API token you provide has limited scope and can be revoked. - The included tool.py is small and readable (no obfuscation), but if you plan to run it in a production environment, consider running it in an isolated environment/container and avoid exposing high-privilege credentials. - Confirm and update the skill metadata (declare YZLIOT_API_KEY as a required/primary credential) so users know what to provide and so automated protections can surface correctly. - If you are unsure about trusting the endpoint or the API key, do not provide long-lived credentials; use a scoped, revocable token and rotate it after testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9745j4ha0ppv9449rmf97th9584bk8e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments