📦 Local Hub — Local工具
v1.0.2本地能力中心。通过 HTTP 调用本机麦克风、摄像头、Ollama、YOLO、Stable Diffusion、TTS/转写、通知、剪贴板、天气、白名单脚本等。当需要「验证是否有声音、拍一张照、用本地模型对话、文生图/图生图、朗读、系统通知、读剪贴板、看图描述、列模型、天气、跑脚本」时使用。需先确保 local_...
0· 312·0 当前·0 累计
by 安全扫描
OpenClaw
安全
medium confidenceThe skill's name and instructions match: it's an instruction-only wrapper that tells the agent how to call a separately-installed local HTTP 'local_hub' service to access mic/camera/LLMs/SD/clipboard/notifications and run whitelisted scripts — coherent, but it grants access to sensitive local resources so you should audit and control the backend before running.
评估建议
This skill is essentially a client for a local service that performs sensitive actions (camera, mic, clipboard, filesystem, run scripts, call local models). It is internally coherent with its description, but before installing or enabling it you should: (1) inspect and vet the local_hub repository and release you plan to run (do not run an untrusted run.sh), (2) ensure the RUN_SCRIPT_WHITELIST only contains safe scripts and understand what TRANSCRIBE_SCRIPT does, (3) consider running the service...详细分析 ▾
✓ 用途与能力
The name/description state a local capability hub and the SKILL.md only contains curl-based instructions to call a localhost API (audio, camera, LLM, SD, clipboard, notify, run-script, etc.). Required binary is only curl and no unrelated credentials, which is proportionate to the stated purpose.
⚠ 指令范围
The instructions explicitly direct the agent to call endpoints that access sensitive local resources (microphone, camera, clipboard, filesystem paths returned by API) and to request execution of whitelisted local scripts via POST /run/script. While expected for a local hub, this expands what an autonomous agent can do on the host (sensor capture, file reads/writes, launching model services). Confirm you trust and inspect the local_hub service implementation and its whitelist configuration before enabling.
✓ 安装机制
The skill is instruction-only and does not install code itself. SKILL.md points to a GitHub repo/releases (a standard host) and documents manual steps (virtualenv, pip install, run.sh). No hidden download or extract steps in the skill itself.
✓ 凭证需求
The skill declares no required env vars or credentials. It mentions optional local-service envs (e.g., SD_BASE_URL) and service-side configs (TRANSCRIBE_SCRIPT, RUN_SCRIPT_WHITELIST) but does not request host secrets. This is proportionate to an instruction-only connector.
ℹ 持久化与权限
always is false and the skill is user-invocable; autonomous invocation is allowed by default. Because the skill enables access to local sensors and script execution via the backend, consider the increased blast radius if you permit autonomous (unsupervised) use — review local_hub access controls and script whitelist.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/3/5
补充服务端下载:GitHub 仓库与 v1.0.0 zip 直链及解压后安装步骤
● 可疑
安装命令
点击复制官方npx clawhub@latest install local-hub
镜像加速npx clawhub@latest install local-hub --registry https://cn.longxiaskill.com镜像同步中