Seed — 通过 HTTP 自动化 C 固件生长

Name: Seed — 通过 HTTP 自动化 C 固件生长
Author: Awis13

Awis13

🌱 Seed — 通过 HTTP 自动化 C 固件生长

v0.1.2

Seed 允许您通过 HTTP 上传 C 代码到任意硬件，设备端编译，并应用新固件，具有 watchdog 自动回滚机制。适用于嵌入式系统开发、IoT 设备管理和自动化固件更新。

0· 259·0 当前·0 累计

by @awis13 (Awis13)·MIT-0

开发工具智能家居自动化安全

下载技能包

License

MIT-0

最后更新

2026/4/11

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

该技能行为与描述一致（自增长 C 固件服务器），但其运行时能力（上传/编译任意 C 代码、文件读写、命令执行）可能导致数据泄露或任意命令执行。使用前请谨慎审查。

评估建议

该技能实现了强大的机制：上传 C 代码到设备、编译和执行，具有文件读写和命令执行能力。仅在完全控制和隔离的机器上安装/运行，审查源码，使用沙盒/容器，保护令牌，监控日志。测试时使用可抛弃的 VM 或硬件。...

详细分析 ▾

✓ 用途与能力

Name/description (grow firmware via HTTP, compile on-device, watchdog rollback) align with the declared requirements (curl, gcc) and the SKILL.md API. Asking for no credentials and only requiring curl/gcc is coherent for this functionality.

⚠ 指令范围

The SKILL.md instructs the agent and user to download and run a seed binary and then supports uploading arbitrary C source, compiling it on-device, and providing handler helpers (file_read, file_write, cmd_out). Those helpers allow reading arbitrary files, writing files, and running shell commands on the target device — capabilities that go well beyond simply 'deploying firmware' and can be used to exfiltrate secrets or escalate access. The instructions also show how to fetch the seed source from a raw GitHub URL and run it, which instructs executing remotely fetched code unless the user audits it first.

ℹ 安装机制

This is instruction-only (no install spec). SKILL.md directs using curl to download seed.c from raw.githubusercontent.com and compiling locally; raw.githubusercontent.com is a known host (lower-than-arbitrary-URL risk) but 'curl-and-run' remains high-risk in practice. Nothing in the skill auto-installs software on the agent's host, but it does instruct users to run code they fetch.

⚠ 凭证需求

The skill itself declares no environment variables and only requires curl/gcc, which is proportional. However, the firmware API exposes file_read and cmd_out that can access arbitrary local files and run commands on the device — meaning sensitive environment data or credentials on a device running seed can be read or invoked by uploaded firmware. Those risks are real even though the skill doesn't ask for credentials explicitly.

ℹ 持久化与权限

always:false (good). The skill can be invoked autonomously (default), which is normal; if the agent is allowed to act without supervision, combined with the skill's ability to instruct deployment of a self-updating firmware, the blast radius increases. The skill does not request permanent system privileges itself, but the firmware it helps install can gain long-lived control of a device.

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

🖥️ OSmacOS · Linux

版本

latestv0.1.22026/3/12

["添加了\"首步\"章节，指导用户获取 seed 节点地址和令牌。","包含了在任意 Linux 机器上部署新 seed 节点的清晰指示。","明确指出 seed 二进制文件约 70KB，仅依赖 libc。","改进了对尚未运行节点的用户的初始入门体验。"]

● 可疑

安装命令点击复制

官方npx clawhub@latest install seed

镜像加速npx clawhub@latest install seed --registry https://cn.clawhub-mirror.com

技能文档

源码: https://github.com/Awis13/seed

您有一个 seed 节点 — 一个具有 HTTP API 的最小 C 固件，您可以通过编写和编译新固件在设备上增长它。... （**注意：此处为简略，完整内容请参考原始文档，仅关键部分翻译）

Source: https://github.com/Awis13/seed

You have access to a seed node — a minimal C firmware with an HTTP API that you can grow by writing and compiling new firmware on the device.

First steps

If the user hasn't given you a node address and token, ask them:

Do they already have a seed node running? If so, get the IP and token.
If not, offer to deploy one. All they need is a Linux machine with gcc:

# On the target machine (Pi, VPS, any Linux box):
curl -fsSL https://raw.githubusercontent.com/Awis13/seed/main/seeds/linux/seed.c -o seed.c
gcc -O2 -o seed seed.c
./seed 8080
# Token will be printed — give it to the agent

The seed binary is ~70KB, zero dependencies beyond libc.

Connecting

The node prints its address and token on startup. If you don't know them:

# The user will provide the address, or:
curl http://:8080/health          # no auth needed
curl http://:8080/skill           # full connection details + token

All requests except /health need: Authorization: Bearer

What you can do

1. Discover the hardware

curl -H "Authorization: Bearer $TOKEN" http://$HOST/capabilities

Returns: arch, CPU, RAM, disk, temperature, GPIO, I2C, serial ports, USB devices, WiFi, Bluetooth, WireGuard — everything the node has.

2. Read the running firmware

curl -H "Authorization: Bearer $TOKEN" http://$HOST/firmware/source

Returns the C source code currently running on the node.

3. Write new firmware

curl -H "Authorization: Bearer $TOKEN" \
  -X POST --data-binary @new_firmware.c \
  http://$HOST/firmware/source

Upload C source code. The node saves it for compilation.

4. Compile on the device

curl -H "Authorization: Bearer $TOKEN" -X POST http://$HOST/firmware/build

The node runs gcc -O2 on itself. Check errors with GET /firmware/build/logs.

5. Apply (hot-swap)

curl -H "Authorization: Bearer $TOKEN" -X POST http://$HOST/firmware/apply

Atomic binary swap. 10-second watchdog — if the new firmware fails the health check, the old version is restored automatically.

API reference

Method	Path	Description
GET	/health	Alive check (no auth)
GET	/capabilities	Hardware fingerprint
GET	/config.md	Node config (markdown)
POST	/config.md	Update config
GET	/events	Event log (?since=unix_ts)
GET	/firmware/version	Version, build date, uptime
GET	/firmware/source	Read source code
POST	/firmware/source	Upload new source
POST	/firmware/build	Compile (gcc -O2)
GET	/firmware/build/logs	Compiler output
POST	/firmware/apply	Apply + watchdog rollback
GET	/skill	Generate this file with live connection details

Writing firmware

Constraints:

C only, libc only — no external libraries
gcc -O2 -o seed seed.c must compile with no extra flags
Single-threaded, one request at a time
Max request body: 64KB
3 failed applies -> /firmware/apply locks (POST /firmware/apply/reset to unlock)

Handler pattern:

if (strcmp(req.path, "/myendpoint") == 0
    && strcmp(req.method, "GET") == 0) {
    char resp[4096];
    snprintf(resp, sizeof(resp), "{\"key\":\"value\"}");
    json_resp(fd, 200, "OK", resp);
    goto done;
}

Available functions:

json_resp(fd, code, status, json) — send JSON response
text_resp(fd, code, status, text) — send plain text
respond(fd, code, status, content_type, body, len) — send anything
file_read(path, &len) — read file, returns malloc'd buffer
file_write(path, data, len) — write file
cmd_out(shell_cmd, buf, bufsize) — run command, capture output
event_add(fmt, ...) — log event

Request struct: req.method, req.path, req.body (malloc'd, may be NULL), req.body_len, req.content_length. Path includes query string.

Auth is already checked before your handler. /health is always public.

Capabilities example

{
  "type": "seed", "version": "0.1.0", "seed": true,
  "hostname": "raspberrypi", "arch": "armv6l",
  "cpus": 1, "mem_mb": 512, "disk_mb": 14000,
  "temp_c": 42.3, "board_model": "Raspberry Pi Zero W Rev 1.1",
  "has_gcc": true,
  "net_interfaces": ["eth0", "wlan0", "usb0"],
  "serial_ports": ["/dev/ttyAMA0"],
  "i2c_buses": ["/dev/i2c-1"],
  "gpio_chips": ["/dev/gpiochip0"],
  "has_wifi": true, "has_bluetooth": true,
  "endpoints": ["/health", "/capabilities", "/config.md", ...]
}

Use this to decide what the node can do and what firmware to write.

Typical workflow

GET /health — is it alive?
GET /capabilities — what hardware does it have?
GET /firmware/source — read the current code
Write new firmware that adds the endpoints you need
POST /firmware/source — upload it
POST /firmware/build — compile
GET /firmware/build/logs — check for errors
POST /firmware/apply — deploy (auto-rollback on failure)
Test the new endpoints
Repeat — the grown firmware still has /firmware/*, so you can grow it again

数据来源：ClawHub ↗ · 中文优化：龙虾技能库

OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险，如需更匹配、更安全的方案，建议联系付费定制

了解定制服务

License

运行时依赖

版本

安装命令 点击复制

技能文档

First steps

Connecting

What you can do

1. Discover the hardware

2. Read the running firmware

3. Write new firmware

4. Compile on the device

5. Apply (hot-swap)

API reference

Writing firmware

Capabilities example

Typical workflow

安装命令点击复制