by 下载技能包
最后更新
2026/4/20
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
Before installing: 1) Note the mismatch between the registry summary (which declared no required env vars) and the SKILL.md (which requires SMARTPI_TOKEN and SMARTPI_DEVICE_KEY). Confirm the platform will store those secrets in a secure secret store rather than exposing them in logs or shell history. 2) Verify the API hostname (https://mcp.aimachip.com) is legitimate and intended for your SmartPi devices — the skill homepage is smartpi.cn but the API uses aimachip.com, which could be legitimate ...详细分析 ▾
ℹ 用途与能力
The SKILL.md describes an IoT control skill (lights, humidifier, curtains) and only needs curl plus two credentials (SMARTPI_TOKEN and SMARTPI_DEVICE_KEY), which is coherent with the stated purpose. However, the registry metadata at the top of the submission listed 'Required env vars: none' while the embedded SKILL.md metadata and instructions require two environment variables — this mismatch is inconsistent.
✓ 指令范围
Instructions only show curl POSTs to the documented API and provide an optional helper script to write under ~/.openclaw/workspace/skills/smartpi-iot/scripts/iot-control.sh. The skill does not instruct reading unrelated system files or exfiltrating data to unexpected endpoints. The script does persist a file under the user's OpenClaw workspace (which is normal for a skill), but that write location was not listed in the top-level registry 'required config paths', another small inconsistency.
✓ 安装机制
This is an instruction-only skill with no install spec or remote downloads; required binary is curl. That is low-risk from an install/execution perspective.
⚠ 凭证需求
The two environment variables requested by SKILL.md (SMARTPI_TOKEN, SMARTPI_DEVICE_KEY) are appropriate for IoT API access and are proportionate. The concern is that the skill registry summary omitted these requirements (listed 'none'), so the platform-level metadata does not match the runtime instructions. Also the SKILL.md uses plaintext environment interpolation in curl commands; users should avoid exposing tokens in logs/command history and use platform secret storage where available.
✓ 持久化与权限
The skill does not request always:true and uses normal user-invocable/default autonomous invocation. It does suggest creating a helper script in the user's OpenClaw workspace (local to the agent), which is reasonable and limited in scope. The skill does not ask to modify other skills or system-wide settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/18
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install smartpi-iot
镜像加速npx clawhub@latest install smartpi-iot --registry https://cn.longxiaskill.com