ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

S2 Mothership [3.22 Native]

v1.1.3

A spatial logic framework for Openclaw. Provides local state compression and coordinate management safely isolated in user space.

0· 91·0 current·0 all-time
byMilesXiang@spacesq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's description (spatial logic / local state compression) is consistent with the included Python modules (chronos, vault, actuators, adapters). However the registry metadata claims 'required env vars: none' and 'required binaries: none', while the SKILL.md frontmatter lists environment variables (HA_TOKEN, TUYA_CLIENT_ID, TUYA_SECRET, S2_PRIVACY_CONSENT, etc.), required binaries (python3, sqlite3) and pip packages. Also the package is marked 'instruction-only' in the registry but the bundle contains many code files — these metadata vs. content mismatches are incoherent and warrant caution.
!
Instruction Scope
SKILL.md allows tools exec, file_read, file_write, http_request and its code shows network calls (requests) to localhost LLM endpoints and cloud adapters (Tuya/HA). Files perform local DB writes, create hidden mirror directories, and read files under their own data dirs. That activity is coherent for a home automation/agent OS, but the instructions claim strict sandboxing and 'will exit if env vars are not provided' — you should verify those checks (they may be present but rely on code paths). SKILL.md also includes embedded full source and a statement that unicode-control-chars were removed, yet a prompt-injection pattern was detected; this ambiguity plus the allowed exec/http_request privileges increases risk if secrets are provided.
Install Mechanism
No install spec is provided (instruction-only), which reduces installer-level risk. However the repository includes many Python modules and a requirements.txt; installing or running this skill will likely require creating files and running Python code locally. Because there is no formal install process declared, how those files are placed and executed is unclear — inspect run-time entrypoints or handler.py before executing.
!
Credentials
SKILL.md frontmatter requests several sensitive environment values (HA_TOKEN, TUYA_CLIENT_ID, TUYA_SECRET) and flags for real actuation. Those credentials are plausible for a smart-home actuator skill, but the registry metadata claims no required env vars — an unexplained mismatch. Granting cloud tokens would allow the skill to call external APIs; if you don't trust the author or haven't inspected adapters (s2_tuya_cloud_adapter, s2_ha_local_adapter), do not provide secrets.
Persistence & Privilege
always is false and autonomous invocation is allowed (platform default). The code creates user-space directories (s2_data_cache, s2_state_backup, s2_local_context_logs) and writes databases & signatures; that is expected for a stateful agent. There is no manifested request to modify other skills or system-wide configs, but the skill does create a hidden mirror directory and writes signature files — reasonable for a vault/backup feature but verify paths and permissions locally. Because the agent can perform exec and http_request, giving it secrets increases its blast radius; combine that with the other inconsistencies before granting persistent privileges.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md claims a 'Unicode Purge' and removal of hidden control characters, yet the static scan flagged unicode-control-chars. This may indicate residual control chars or an attempt at prompt injection; review the SKILL.md raw bytes and files for hidden characters before trusting the skill.
What to consider before installing
This package contains many source files that implement local databases, device adapters (Tuya, Home Assistant), LLM calls to localhost, and a vault/backup system — so its behavior broadly matches a home-agent OS. However: 1) metadata inconsistencies (registry says no env vars/binaries, SKILL.md lists several) are red flags — ask the publisher to correct and explain them; 2) do not provide HA_TOKEN/TUYA_SECRET or other secrets until you (or a trusted reviewer) have audited the actuator adapter code paths that use them; 3) verify that the code truly refuses network/cloud calls when credentials are absent (search for unconditional requests.post calls or code paths that fall back to cloud); 4) run the package in an isolated sandbox or VM first (no real home devices, no real tokens) and monitor network traffic and filesystem writes; 5) inspect handler.py and any entrypoint for exec() usage or dynamic code execution, and search files for hidden/control characters or obfuscated strings; 6) the repeated dual-licensing/legal notices are unusual — ensure the license terms meet your intended use (they claim non-commercial only). Given the mismatches and the prompt-injection signal, treat this skill as suspicious until you can confirm the code and runtime behavior.

Like a lobster shell, security has layers — review code before you run it.

3.22vk97en192k2n03c2q7pfte1jwp183krcnHeartbeatvk97en192k2n03c2q7pfte1jwp183krcnOSvk97en192k2n03c2q7pfte1jwp183krcnS2vk97en192k2n03c2q7pfte1jwp183krcnSecurityvk97en192k2n03c2q7pfte1jwp183krcnlatestvk9717hd2rx2vemh5pzrymx33fs83j31w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
S2_PRIVACY_CONSENTrequired
S2_ENABLE_REAL_ACTUATIONrequired
HA_URLrequired
HA_TOKENrequired
TUYA_CLIENT_IDrequired
TUYA_SECRETrequired

Comments