Back to skill
Skillv1.0.0
ClawScan security
Nest SDM · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 17, 2026, 3:13 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill generally matches its stated purpose (control Nest via SDM) but its runtime scripts read and depend on credentials and local configuration that the registry doesn't declare (e.g., Pub/Sub tokens, Telegram tokens, and even parsing ~/.zshenv or calling gcloud), which is a mismatch that could expose unrelated secrets — review before installing.
- Guidance
- This skill appears to do what it says (control Nest and forward events), but the bundled scripts read and create token files and may pull credentials from places you might not expect (your ~/.zshenv and any local gcloud auth). Before installing or running: (1) Inspect the token files and avoid placing other secrets in ~/.openclaw/workspace or your shell rc; (2) Prefer creating dedicated OAuth credentials and a dedicated GCP project with least-privilege scopes; (3) Don't store long-lived unrelated secrets in .zshenv — the script will try to read it; (4) Consider running the scripts in an isolated environment (container or restricted user) and verify TELEGRAM_BOT_TOKEN/CHAT_ID are set explicitly rather than relying on automatic discovery; (5) If you don't want event forwarding, avoid running nest-events.sh or remove the Telegram forwarding sections. If you're unsure, test in a disposable account/project first.
Review Dimensions
- Purpose & Capability
- noteThe name/description (Nest SDM control and event forwarding) aligns with the included scripts and SKILL.md: OAuth tokens, SDM API calls, and Pub/Sub event handling are expected for this use case. Required binaries (curl, python3) are proportional. However, the registry metadata declares no required env vars while the scripts clearly read several environment variables and token files — this declaration mismatch is noteworthy.
- Instruction Scope
- concernSKILL.md and the scripts instruct the agent to read and write token files under ~/.openclaw/workspace, run OAuth exchanges, poll Google Pub/Sub, and forward events to Telegram. The nest-events.sh script additionally attempts to parse $HOME/.zshenv for TELEGRAM_* variables and falls back to invoking a local gcloud binary to obtain access tokens. Those actions expand scope beyond simple SDM API calls because they read arbitrary shell config and reuse any existing gcloud credentials on the host.
- Install Mechanism
- okThis is an instruction-only skill with no installer; there is no network-downloaded code at install time. Code files are bundled with the skill (shell scripts), so nothing is fetched or executed automatically beyond what the scripts do when run.
- Credentials
- concernThe skill legitimately needs OAuth client_id/client_secret/refresh_token and (optionally) Pub/Sub tokens and a Telegram bot token to operate. However: the registry lists no required env vars while the scripts expect NEST_SDM_TOKENS, NEST_PUBSUB_TOKENS, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, GCP_PROJECT and more. The script's behavior of scanning ~/.zshenv for TELEGRAM_* and using gcloud to fetch tokens can access unrelated secrets/credentials on the host — this is disproportionate unless explicitly documented and consented to.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skill configs. It can be run as a daemon (listen) which is expected for event forwarding, and autonomous invocation is allowed by default (platform normal). No elevated system persistence or cross-skill configuration changes are requested by the code.