🤖 Mqtt Client — MQTT连接工具
v1.0.7轻量级 MQTT 客户端,可快速接入任意 MQTT 代理,实现设备与云端的双向消息收发,适用于 IoT 场景。
0· 2.3k·6 当前·6 累计
by 下载技能包
最后更新
2026/4/20
安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
Do not run this skill as-is against real brokers or with real credentials. Key concerns: (1) bootstrap.sh hardcodes a /home/jc/.openclaw/... path and activates a venv that may not exist; (2) the script sources an .env (not listed in required envs) and run.py reads MQTT_USERNAME and MQTT_PASSWORD—inspect that .env to ensure it doesn't contain secrets you don't want exposed; (3) run.py subscribes to all topics ('#') and logs message payloads to stdout (logs may be aggregated or retained); (4) requ...详细分析 ▾
⚠ 用途与能力
The name/description match the included Python code (a simple MQTT subscriber). However the SKILL.md and files contradict the declared requirements: SKILL.md claims 'no parameters' and 'no required env vars', yet run.py reads MQTT_BROKER, MQTT_PORT, MQTT_TOPIC, MQTT_USERNAME, and MQTT_PASSWORD from the environment. bootstrap.sh expects a pre-created venv and an .env in a hard-coded /home/jc/.openclaw/... workspace path. These environment/config expectations are not declared in the skill metadata and look disproportionate to the stated 'simple client' purpose.
⚠ 指令范围
SKILL.md instructs running scripts/bootstrap.sh which sources an absolute path and an .env, then runs run.py. run.py subscribes to all topics ('#') and logs message payloads to stdout. The instructions do not document what .env must contain or where logs go. The agent would therefore load unspecified environment variables and could receive broad message traffic (potentially sensitive), contrary to the claim that 'no parameters' are required.
⚠ 安装机制
There is no install spec. requirements.txt lists paho.mqtt but bootstrap.sh does not install it nor create the venv; instead bootstrap.sh activates a venv at a hard-coded absolute path. That makes the script brittle and indicates the package expects a pre-initialized developer environment rather than a proper install step. This is an operational risk (will fail silently or unexpectedly) and increases the chance of accidental exposure if you run it without checking.
⚠ 凭证需求
The skill declares no required environment variables, yet run.py relies on multiple MQTT-related env vars (including username/password) and bootstrap.sh sources an .env file. Requiring unspecified secrets (via an .env) without declaring them is disproportionate and a transparency issue. Additionally, subscribing to '#' can surface many messages—if those messages are sensitive they could be logged where agent logs are collected.
✓ 持久化与权限
The skill does not request always:true and does not modify other skills or system-wide settings. It runs a short-lived (60s) background loop and performs no persistent configuration changes. Persistence/privilege level is appropriate.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.72026/2/6
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install mqtt-client
镜像加速npx clawhub@latest install mqtt-client --registry https://cn.longxiaskill.com