ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

S2-SP-OS Wave/Spectrum Radar

v2.0.3

S2-SP-OS Spectrum Radar. Pure, passive spatial perception using GPIO/UART with explicit OS environment consent (S2_PRIVACY_CONSENT) and quantized biometrics....

0· 64·0 current·0 all-time
byMilesXiang@spacesq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binary (python3), and dependency (pyserial) align with a GPIO/UART radar client. However, the edge-setup guide references 'GPIO Fast-Trigger Wiring' for 'instant zero-latency smart home triggers', which contradicts repeated claims in SKILL.md and spectrum.py that the sensor is 'passive' and performs 'NO cross-device triggers.' This inconsistency is unexplained.
!
Instruction Scope
SKILL.md instructs running spectrum.py and explicitly requires S2_PRIVACY_CONSENT (consistent). But AGENT-EXAMPLES.md contains sample agent reasoning that tells the Agent to autonomously call other perception/actuation skills (e.g., s2-light-perception, s2-acoustic-perception). SKILL.md also asks the Agent to 'decide what to do next based on your system prompts and examples' — this gives broad discretionary authority to act on sensor outputs and promotes cross-skill actuation despite claims of sensor-only scope.
Install Mechanism
No install spec downloads arbitrary code; this is instruction-only plus an included Python file. The only declared runtime dependency is pyserial (normal for serial/UART hardware). No network downloads or extract steps are present.
Credentials
Only one required environment variable (S2_PRIVACY_CONSENT) is declared and enforced by the script. No unrelated credentials, config paths, or secrets are requested.
Persistence & Privilege
always:false and no install-time persistence are appropriate. However, because the skill provides examples that encourage the Agent to invoke other skills or actuators autonomously, the combination of autonomous invocation (default enabled) plus these examples increases operational risk if the Agent is allowed to act without policy controls.
What to consider before installing
This package mostly implements a local, passive radar client and enforces an explicit S2_PRIVACY_CONSENT env var, which is reasonable. However, two issues merit caution before installing: (1) the edge setup doc mentions fast GPIO triggers (implying actuation possibility) while the code and SKILL.md repeatedly assert 'passive only' — ask the author to clarify whether the hardware wiring or GPIO pins can be used to trigger other devices; (2) AGENT-EXAMPLES.md encourages the Agent to autonomously call actuators/other sensors based on radar output. If you plan to allow autonomous skill invocation, restrict or audit cross-skill policies so the Agent cannot trigger actuators without separate explicit approval. Practical steps: run the Python script in an isolated environment first (no /dev/tty or GPIO attached) to inspect outputs; review/grep the code for any network calls (none present in provided file); avoid setting S2_PRIVACY_CONSENT=1 globally until you are comfortable (set it only in a controlled session); and ask the maintainer to remove or rewrite examples that instruct the Agent to take autonomous actions or to explicitly document how GPIO trigger wiring is intended to be used. If the maintainer confirms that GPIO pins are read-only and no actuator interfaces exist, the coherence concern is resolved and risk decreases.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ptvsmf3r00dwnbzdat8nqd83caqy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌊 Clawdis
Binspython3
EnvS2_PRIVACY_CONSENT

Comments