ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

S2-SP-OS Energy Radar

v1.1.1

S2-SP-OS Energy Radar. Maps spatial inventory and generates advanced local visual dashboards (Bar/Pie/Trend) for user insights without cloud analytics. / S2...

0· 87·0 current·0 all-time
byMilesXiang@spacesq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (spatial inventory + local dashboards) align with the included python script (generate_dashboard) and SKILL.md which run local processing with pandas/numpy/matplotlib. The setup-guide and S2-MEMZERO-PROTOCOL that describe RS485/Modbus smart breaker integration and a Nano-scale Edge CNN are consistent with an energy/hardware integration use-case, but they expand the scope to hardware I/O and on-device ML (model download) which the top-level metadata doesn't fully enumerate. The presence of agent guidance that recommends cross-skill power-cut actions (actuation) is beyond a purely passive dashboard capability.
!
Instruction Scope
SKILL.md instructs the agent to run local scripts and to present file:// image URIs — expected. However AGENT-EXAMPLES explicitly instructs the agent to proactively propose and call other skills/agents to cut power and configure automatic actuations. The setup-guide also mentions wiring RS485 and passive polling vs. actuation handling. That is scope creep from 'passive visual dashboard' into control/actuation and cross-skill orchestration, which materially increases risk.
Install Mechanism
There is no formal install spec (instruction-only + included code), which is lower disk-write risk. However setup-guide tells operators to download a quantized MobileNet SSD .tflite model (source/location not specified) and to install tflite-runtime/opencv packages — an unspecified external model download is a notable vector (unvalidated binary). The primary packaged deps used by the included code (pandas/numpy/matplotlib) are declared in metadata and used.
Credentials
Only one required env var (S2_PRIVACY_CONSENT) and python3 are declared, which is proportionate for a local tool. That said the code and docs imply access to local images, RS485/Modbus hardware, and the filesystem (writing charts to cwd, producing file:// URIs). Those local hardware/file accesses are reasonable for an edge energy tool but are privileges the user should consciously accept; the skill does not request cloud credentials, which is appropriate.
Persistence & Privilege
always is false and the skill does not request persistent platform-wide privileges. However the AGENT-EXAMPLES language urging automated cross-skill actuation increases the operational blast radius if the agent is allowed to autonomously invoke other skills that can control devices. Autonomous invocation combined with actuation instructions is the main privilege concern here.
What to consider before installing
This skill appears to be what it says (local inventory + charts) but it also pushes the agent toward active device control and suggests downloading an on-device ML model from an unspecified source. Before installing or running it: - Review the energy.py functions that were elided (run_inventory, read_smart_breaker) to confirm they don't phone home or perform unexpected network I/O. - If you plan to use vision/edge-model features, only download models from a trusted URL (official project or vendor release); avoid arbitrary/unverified model downloads. - Be cautious about wiring RS485/Modbus hardware and about permitting cross-skill automation: if you allow the agent to invoke other skills that can actuate (cut power), require explicit user confirmation before any actuation. - Run the skill in an isolated environment (non-privileged account, limited network) until you're comfortable with behavior. If you want a safer thumbs-up, provide the full content of run_inventory and read_smart_breaker and the exact model download URL so I can re-check network calls, unknown hosts, or any code that would transmit data off the device.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aae2skqjm94vzjtxvsbwsrd83d53h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binspython3
EnvS2_PRIVACY_CONSENT

Comments