by 安全扫描
OpenClaw
可疑
medium confidence该技能文件和指令主要匹配一个本地能量库存和仪表盘工具,但存在范围蔓延和运营风险:鼓励跨技能执行(切断电源)、引用从未指定源下载的边缘模型以及连接本地硬件——这些超出了简单的被动仪表盘的范畴,需谨慎。
评估建议
该技能看似如其名(本地库存 + 图表)但也推动代理向主动设备控制并建议从未指定源下载设备上的机器学习模型。安装或运行前:- 审核 energy.py 中的 elided 函数(run_inventory, read_smart_breaker)以确认它们不发送数据或执行意外的网络 I/O。- 如果计划使用视觉/边缘模型功能,只从受信任的 URL(官方项目或供应商发布)下载模型;避免任意/未验证的模型下载。- 对连接 RS485/Modbus 硬件和允许跨技能自动化(如果允许代理调用其他可以执行的技能,如切断电源)谨慎,要求在任何执行前获得明确的用户确认。- 在隔离环境(非特权账户,限制网络)中运行技能,直到您对其行为感到舒适。如果您想要更安全的确认,请提供 run_inventory 和 read_smart_breaker 的完整内容以及确切的模型下载 URL,以便我重新检查网络调用、未知主机或任何可能传输设备数据的代码。...详细分析 ▾
ℹ 用途与能力
Name/description (spatial inventory + local dashboards) align with the included python script (generate_dashboard) and SKILL.md which run local processing with pandas/numpy/matplotlib. The setup-guide and S2-MEMZERO-PROTOCOL that describe RS485/Modbus smart breaker integration and a Nano-scale Edge CNN are consistent with an energy/hardware integration use-case, but they expand the scope to hardware I/O and on-device ML (model download) which the top-level metadata doesn't fully enumerate. The presence of agent guidance that recommends cross-skill power-cut actions (actuation) is beyond a purely passive dashboard capability.
⚠ 指令范围
SKILL.md instructs the agent to run local scripts and to present file:// image URIs — expected. However AGENT-EXAMPLES explicitly instructs the agent to proactively propose and call other skills/agents to cut power and configure automatic actuations. The setup-guide also mentions wiring RS485 and passive polling vs. actuation handling. That is scope creep from 'passive visual dashboard' into control/actuation and cross-skill orchestration, which materially increases risk.
ℹ 安装机制
There is no formal install spec (instruction-only + included code), which is lower disk-write risk. However setup-guide tells operators to download a quantized MobileNet SSD .tflite model (source/location not specified) and to install tflite-runtime/opencv packages — an unspecified external model download is a notable vector (unvalidated binary). The primary packaged deps used by the included code (pandas/numpy/matplotlib) are declared in metadata and used.
ℹ 凭证需求
Only one required env var (S2_PRIVACY_CONSENT) and python3 are declared, which is proportionate for a local tool. That said the code and docs imply access to local images, RS485/Modbus hardware, and the filesystem (writing charts to cwd, producing file:// URIs). Those local hardware/file accesses are reasonable for an edge energy tool but are privileges the user should consciously accept; the skill does not request cloud credentials, which is appropriate.
ℹ 持久化与权限
always is false and the skill does not request persistent platform-wide privileges. However the AGENT-EXAMPLES language urging automated cross-skill actuation increases the operational blast radius if the agent is allowed to autonomously invoke other skills that can control devices. Autonomous invocation combined with actuation instructions is the main privilege concern here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.12026/3/23
无功能变化。仅版本更新。- 版本从 1.1.0 更新到 1.1.1。- 未检测到代码或文档的任何修改。
● 无害
安装命令 点击复制
官方npx clawhub@latest install s2-energy-perception
镜像加速npx clawhub@latest install s2-energy-perception --registry https://cn.clawhub-mirror.com
技能文档
🤖 AI 代理指令(重要)
先决条件:export S2_PRIVACY_CONSENT=1
行动 1: 库存(盘点)
```bash
python3 energy.py --action inventory --method default --zone living_room --grid ALL
行动 2: 生成可视化仪表盘 (生成高级可视化看板)
使用此命令生成专业图表(电力评级条、30 天波动线)当用户请求能量报告时。
Bash
python3 energy.py --action generate_dashboard --zone ALL --grid ALL
注意:这将返回一个本地图像 URI 列表(例如,file:///...png)。您必须直接在您的 Markdown 响应中向用户呈现这些图像链接。数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制