ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Micro-Doppler Life-Safety Engine

v1.1.0

Detects elder falls and apnea using privacy-safe 60/77 GHz mmWave radar with real-time micro-Doppler STFT analysis for emergency alerts and response.

0· 77·0 current·0 all-time
byMilesXiang@spacesq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (mmWave micro-Doppler fall detection + optional emergency actuation) matches the code and SKILL.md: the DSP pipeline is implemented locally and actuation is performed via Home Assistant REST calls. The manifest documents the same HA environment variables. Minor metadata inconsistency: registry metadata above lists no homepage/required env vars while manifest.json includes a homepage and documents S2_ENABLE_REAL_ACTUATION, HA_BASE_URL, and HA_BEARER_TOKEN.
Instruction Scope
SKILL.md and skill.py confine behavior to generating simulated/sensed signals, computing an STFT, detecting a fall, and optionally posting to Home Assistant. There are no instructions to read unrelated system files, exfiltrate data to unknown endpoints, or gather additional credentials. The code creates a local directory (s2_eldercare_vault) to store data.
Install Mechanism
No install specification is embedded in the registry (instruction-only). The SKILL.md tells users to pip install requirements.txt — a standard, low-risk dependency install from PyPI. No downloads from arbitrary URLs or archive extraction are used.
Credentials
The only sensitive inputs are Home Assistant-related (HA_BASE_URL and HA_BEARER_TOKEN) and a boolean to enable real actuation. Those are appropriate and proportional to the actuation feature. The skill defaults to Dry-Run and will not perform network POSTs unless S2_ENABLE_REAL_ACTUATION is explicitly set. Recommend using a least-privilege long-lived token and keeping HA on a trusted local network. Also note the registry metadata did not declare required env vars while the manifest does — verify manifest vs registry before use.
Persistence & Privilege
This skill does not request always:true, does not modify other skills or global agent settings, and does not run persistent background services. It only creates a local directory for data and runs when executed. Actuation is opt-in via an environment variable.
Assessment
This skill appears to do what it says: run a local DSP fall detector and optionally send commands to Home Assistant. Before enabling real actuation: 1) Keep S2_ENABLE_REAL_ACTUATION unset (Dry-Run) while you review and test behavior. 2) If you enable real actuation, only do so in a trusted, local network. 3) Create a Home Assistant token with minimal scope needed for the specific entities, and verify HA_BASE_URL points to your local instance. 4) Inspect and, if necessary, change the entity IDs (lock.room_802_main_door, light.room_802_all, fan.room_802_hvac) so they map to test devices first (avoid unlocking real doors during testing). 5) Confirm the manifest/registry metadata (homepage and declared env vars) with the publisher because the packaged manifest includes env var docs that the registry metadata did not list. If you want extra assurance, run the script in an isolated environment or sandbox and keep network access to your HA instance restricted.

Like a lobster shell, security has layers — review code before you run it.

latestvk974hd5b9ad8j8y2rjwkx7mh0d83amtg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments