Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
The 4D Acoustic Engine
v1.4.0Analyzes acoustic emotion and semantic intent to trigger a timed, multimodal sequence of smart home actions for context-aware environment control.
⭐ 0· 78·0 current·0 all-time
byMilesXiang@spacesq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (acoustic emotion → smart-home actions) match the included code: numpy/scipy for DSP, a small alignment engine, and POSTs to a Home Assistant-style REST API. Declared dependencies (numpy, scipy, requests, python-dotenv) are appropriate for the stated functionality.
Instruction Scope
SKILL.md instructs standard setup (pip install -r requirements.txt, copy an env template, run python skill.py). The runtime instructions and code do what they describe: simulate audio, infer an intent, and optionally POST to HA. Minor inconsistencies: SKILL.md refers to '.env.example' while the repo contains env_template.txt (filename mismatch). The skill does not read arbitrary user files or secrets beyond the Home Assistant token and .env, and audio input is simulated (no microphone capture).
Install Mechanism
No install spec; installation relies on pip with a pinned requirements.txt (standard PyPI packages). That is a normal, traceable install path and does not use ad-hoc downloads or unknown URLs.
Credentials
The only sensitive environment variables described (HA_BEARER_TOKEN, HA_BASE_URL, S2_ENABLE_REAL_ACTUATION) are relevant to the declared purpose. The code uses a sandbox default token and dry-run by default, which is good. However, enabling real actuation requires providing a long-lived Home Assistant token and network access to local devices — this is sensitive and should be given only to trusted runs. The SSRF protection uses socket.gethostbyname and checks is_private/is_loopback; this is appropriate but has edge cases (IPv6, DNS manipulations, or complex name resolution behaviors) that reviewers should consider.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and is user-invocable. It creates a local directory (s2_voice_vault) but otherwise does not request elevated privileges or persistent platform hooks.
Assessment
This skill appears to be what it says: it simulates audio analysis and — only if you explicitly enable real actuation and provide a Home Assistant token — will it POST commands to your local Home Assistant. Before enabling real actuation: (1) keep S2_ENABLE_REAL_ACTUATION=False during review and testing; (2) inspect the code (you already have it) and run in an isolated environment; (3) if you need real actuation, provide HA_BASE_URL pointing to an internal IP/hostname and a short-lived or scoped token, not a highly privileged global credential; (4) note the SKILL.md -> env filename mismatch (.env.example vs env_template.txt) and correct it before following the copy/edit step; (5) consider network controls or firewall rules that prevent the skill from reaching unintended hosts (and verify SSRF protections against IPv6/DNS edge-cases). If you are not comfortable storing a Home Assistant token on the host, do not enable real actuation.manifest.json:24
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk9761z9e6dq5tdfncsy25h6jd583a8tj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.