Morning Wake-Up
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: morning-wake-up Version: 1.1.0 The morning-wake-up skill is a legitimate automation tool that fetches weather data from the Open-Meteo API and triggers music playback on Sonos speakers using a local CLI. The implementation in `scripts/wake-up.ts` uses `Bun.spawn` with argument arrays to execute commands safely, preventing shell injection, and there are no indicators of data exfiltration, persistence, or malicious prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When run, the skill can change volume and start playback on the named Sonos speaker.
The script invokes the local Sonos CLI to set volume and open a favorite. This is the core advertised function and uses argument arrays rather than a shell, but it can still affect a user's speaker.
Bun.spawn(["sonos", "volume", "set", String(volume), "--name", speaker]); ... Bun.spawn(["sonos", "favorites", "open", favorite, "--name", speaker]);
Only run it with the intended speaker and volume, and keep presets.json limited to trusted Sonos favorite names.
The skill may fail or use whatever local `bun` and `sonos` commands are already installed on the machine.
The documentation requires local binaries even though the registry requirements list no required binaries and there is no install spec. This may reduce automated environment checks.
- Sonos CLI (`sonos`) installed and speakers on local network ... bun scripts/wake-up.ts --location "Shanghai" --speaker "Living Room"
Install Bun and the Sonos CLI from trusted sources, and verify the `sonos` command works before scheduling the routine.
Your chosen location or coordinates are shared with Open-Meteo to fetch weather.
The script sends the provided city name or coordinates to Open-Meteo for geocoding and weather. This is disclosed and purpose-aligned, but it is still an external data flow.
https://geocoding-api.open-meteo.com/v1/search?name=${encodeURIComponent(location)} ... https://api.open-meteo.com/v1/forecast?${params}Use a city-level location rather than precise coordinates if location privacy matters.
If scheduled, the skill can start Sonos playback every day until the cron job is removed or changed.
The skill documents an optional cron schedule that would cause the routine to run daily. This is expected for an alarm-style skill and is user-directed, not silently created by the code.
cron add — schedule: "0 7 * * *" — payload: "Run morning-wake-up for location Shanghai on speaker Living Room"
Add the cron job only if you want recurring playback, and keep track of how to disable or edit the schedule.