ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vela Dev

v1.0.0

Build, edit, debug, and package Xiaomi Vela JS quick apps for wearable devices such as Xiaomi Band 10. Use when the user asks to create a Vela 快应用, modify `....

0· 66·0 current·0 all-time
by@tlrenhb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is for creating and building Xiaomi Vela apps and includes a template package.json and repeated instructions to run `npx aiot build`. However the skill's metadata claims no required binaries or environment dependencies. In practice the workflow requires Node/npm (npx) and the aiot-toolkit (npm package) to be available — this mismatch is an unexplained omission.
Instruction Scope
SKILL.md stays within the stated purpose: scaffolding files, editing `.ux` pages, running builds, reading local reference files, and consulting official docs. It does not instruct reading unrelated system files or exfiltrating data, nor does it demand unrelated credentials.
Install Mechanism
This is an instruction-only skill (no install spec). Included assets contain a template package.json that references a public npm devDependency (`aiot-toolkit`), which is expected for the described build workflow. No downloads from untrusted URLs or extract/install steps are specified by the skill itself.
Credentials
The skill requests no environment variables or credentials and the instructions do not reference secrets. The set of included files and referenced docs are proportional to the stated goal.
Persistence & Privilege
The skill does not request persistent presence (always=false), does not modify other skills or global agent settings, and allows normal user invocation/autonomous invocation per platform defaults.
What to consider before installing
This skill appears to do what it claims — scaffold, build, and debug Xiaomi Vela quick apps — but note a small inconsistency: it instructs you to run `npx aiot build` yet does not declare Node/npm/npx as required tools. Before using it, ensure you have Node.js and npm (so npx works) and that you understand running build/install commands on your machine. If you install dependencies (npm install), be aware that npm packages can run install scripts; verify the `aiot-toolkit` package is from a trusted source and inspect package.json in the template. Review any commands the assistant suggests before executing them, and avoid pasting or running remote scripts you don't trust. If you need higher assurance, ask the skill author how they expect build tooling to be provided (local Node vs. container) or request they declare required binaries in the skill metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk977excfdx8rtdg32zmryp2t8583sxr4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments