ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WoL Wakeup

v1.0.0

局域网唤醒 (WoL) 自动化技能。支持工作流模式和单行命令模式,多轮对话添加设备,无需大模型。使用方式:1) "帮我开机"→列表 2) "开机 - 设备名"→唤醒 3) "添加网络唤醒"→工作流 4) "列表"→查看 5) "删除 - 设备名"→删除

0· 65·0 current·0 all-time
bysharecode@xunone11
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and docs implement a local HTTP hook + workflow engine that listens on localhost and sends WoL magic packets via the wakeonlan library; requiring python3 and wakeonlan is appropriate. The component set (workflow engine, state manager, device manager, hook server) aligns with the stated WoL automation purpose.
!
Instruction Scope
Runtime instructions and code perform actions beyond simple 'send a magic packet': they modify OpenClaw configuration, create/enable a systemd service, persist tokens and session/device files under ~/.openclaw, and log inbound message payloads. The hook server will accept requests without token verification when no token is configured (verify_token returns True if DEFAULT_TOKEN is None), which weakens the intended auth protection.
Install Mechanism
No remote downloads; dependencies installed via pip by the included install script (pip install wakeonlan). The install script attempts to create a user systemd service and run systemctl --user commands. This is typical but requires care: the script writes files into user config directories and may call systemctl silently failing or succeeding depending on environment.
!
Credentials
The skill does not request external credentials, which is consistent. However the repository/docs embed an explicit token string (several docs show a long hex token) and the install process saves a token to a file (.hook_token) and to a local OpenClaw config file. Hard-coded/example tokens in repo/docs and persisting tokens in files increase credential-exposure risk. The hook server also supports reading token from HOOK_TOKEN env var, but the code allows unauthenticated access if no token is set.
Persistence & Privilege
The skill installs a persistent service (systemd user service), updates OpenClaw configuration, and writes persistent state and token files under ~/.openclaw and the skill directory. It does not set always:true and does not modify other skills, but the persistent service and stored token give ongoing local presence and an attack surface if misconfigured.
What to consider before installing
Before installing, review and harden the deployment: 1) Search the repo/docs for any hard-coded token (examples in INTEGRATION_GUIDE/REPORT) and replace with a generated secret; never use published example tokens in production. 2) Ensure you set a strong HOOK_TOKEN (or --token) and verify openclaw_hook.py starts with that token; do not leave token unset (the server currently accepts requests when no token is configured). 3) Confirm which OpenClaw config file the installer will modify (install.py writes ~/.openclaw/config.json while docs reference openclaw.json); back up your existing OpenClaw config before running update scripts. 4) Inspect the systemd service file and decide whether to enable a user/system service; run install steps manually if you prefer (the install script will attempt to enable/start systemd). 5) Protect log and token files (HOOK_LOG_FILE, .hook_token, ~/.openclaw/*) with restrictive file permissions and consider rotating tokens. 6) Because the hook logs inbound message content, consider whether PII may be written to hook.log and control access to that file. 7) If you want to test safely, run the hook in an isolated environment or container, verify behavior, then adopt in production only after addressing the above. If you want, I can point out exact files/lines to change to fix the token/config issues and secure logging.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b3qbzrwv1kfdyt3n1ch9bax83f908

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3

Comments