Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Yzl Iot Api
v1.2.1云智联 IoT 设备管理API v1.2.0。一句话说就能获取传感器数据和发送控制指令。激活语:云智联设备,钥匙是xxxxxx,帮我打开开关/获取数据
⭐ 0· 58·0 current·0 all-time
by@yzlkj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name, SKILL.md, and tool.py all indicate an IoT device management client for 云智联 (calls to https://open.yzlkj.com). That purpose is coherent with the code's network calls and commands. However the skill metadata does not declare the API credential (YZLIOT_API_KEY) nor does it declare Python as a required runtime—even though the README and tool.py clearly require exporting YZLIOT_API_KEY and running python3. This mismatch is a significant metadata inconsistency.
Instruction Scope
SKILL.md instructs the user/agent to set YZLIOT_API_KEY and run python3 tool.py; the tool.py code only performs HTTPS requests to the documented BASE_URL endpoints and processes responses. The instructions do not request unrelated local files or other credentials. The scope of operations (read env var, call API endpoints, parse responses, send device commands) aligns with the stated IoT purpose, but the instructions rely on an env var that the registry omitted.
Install Mechanism
There is no install spec (instruction-only skill) which is low-risk, but a code file (tool.py) is included. The skill therefore requires a Python runtime to execute the bundled script—yet the metadata reported no required binaries. The lack of an install/packaging spec is not inherently dangerous but the missing runtime declaration is an operational inconsistency.
Credentials
The code reads a single environment variable YZLIOT_API_KEY and refuses to operate without it. The API key is the sole secret the tool uses, which is appropriate for an API client, but the skill's declared requirements list no env vars or primary credential. The missing declaration of YZLIOT_API_KEY in registry metadata is a proportionality/accuracy problem and raises caution because an undeclared required secret can cause confusion or accidental leakage if users are not prompted properly.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always=false). It does network calls to the IoT provider and does not modify other skill configs or system-wide settings. Autonomous invocation is allowed by default but not excessive here.
What to consider before installing
This package appears to be a normal IoT API client that contacts https://open.yzlkj.com and requires an API key (YZLIOT_API_KEY) and a Python runtime (python3). Before installing or running it: 1) Treat the API key as sensitive — anyone with it can read sensor data and send control commands to your devices. Only use a least-privileged key and revoke it if you suspect misuse. 2) The registry metadata is inaccurate: it does not list the required env var or Python dependency—ask the publisher for corrected metadata or prefer a skill whose declared requirements match the code. 3) Confirm you trust the domain (open.yzlkj.com) and the skill owner (no homepage provided). If you cannot verify the source, avoid installing or run it in an isolated environment. 4) If you proceed, export the API key locally (not in shared/system-wide profiles) and inspect runtime output for unexpected network destinations; the included code appears to only contact the expected BASE_URL.Like a lobster shell, security has layers — review code before you run it.
latestvk97110ym1kk9snkb04ayddxwbd84czqq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.