Quote/0
PassAudited by ClawScan on May 1, 2026.
Overview
This skill transparently uses a local Node script and Dot API credentials to control a Quote/0 device, with no hidden endpoints or unrelated behavior found.
This appears safe to install for controlling Quote/0 if you trust the Dot API integration. Before use, protect your DOT_API_KEY, confirm the target device ID, and review any text or image content before sending it to the device.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill with valid credentials can query and control the associated Quote/0 device through the Dot API.
The skill requires an API key and device identifier to access the user’s Dot account/device, which is expected for this integration but gives the script delegated device authority.
`DOT_API_KEY`(必需); `DOT_DEVICE_ID`(设备相关命令必需,如 `status|next|list|text|image`)
Use a dedicated Dot API key if possible, keep it out of shared chats and files, and revoke or rotate it if it is exposed.
The agent could update displayed text/images or switch content if asked to use the skill with valid credentials.
The local CLI can send POST requests that change device content or switch to the next content item. This matches the stated purpose, but it is still mutation authority over a connected device.
case 'text': ... path: `/device/${deviceId}/text` ... case 'image': ... path: `/device/${deviceId}/image` ... case 'next': ... path: `/device/${deviceId}/next`Review the exact message, image, target device ID, and refresh behavior before allowing content-changing commands.
A selected local image file will be uploaded to the Dot service as device content.
The image command reads a user-specified local PNG file and sends it to the Dot API. The code checks for a regular .png file, size limit, and PNG header, which makes the behavior bounded and purpose-aligned.
const filePath = path.resolve(args.imageFile); ... const buf = fs.readFileSync(filePath); ... return buf.toString('base64');Only provide image paths for files you intend to upload, and avoid private or sensitive images.