by 安全扫描
OpenClaw
安全
medium confidenceThe skill's code and instructions match its stated purpose (local control of an IKEA TRÅDFRI gateway); the main issues are minor metadata omissions (undeclared environment variables and the implicit Node runtime requirement), but nothing indicates malicious behavior.
评估建议
This skill appears to do what it says: control a local IKEA TRÅDFRI gateway. Before installing/run it: 1) Ensure Node.js is available and run `npm install` in the skill folder as instructed. 2) Provide gateway credentials only via config.json or the env vars TRADFRI_HOST / TRADFRI_IDENTITY / TRADFRI_PSK — do not publish these values. 3) Be aware the script must be able to reach the gateway on your local network; run it from a host with network access to the gateway. 4) Review scripts/tradfri.js ...详细分析 ▾
ℹ 用途与能力
The name/description (local TRÅDFRI gateway control) align with the provided scripts and instructions: the script uses node-tradfri-client and operates only against a locally reachable gateway host. Minor metadata mismatch: the registry lists no required env vars or binaries, while the SKILL.md and script require Node.js and allow TRADFRI_HOST/TRADFRI_IDENTITY/TRADFRI_PSK (and a few tuning env vars). This appears to be an omission in metadata rather than malicious intent.
✓ 指令范围
SKILL.md instructs running the included script and installing dependencies (npm install). The runtime instructions and operating rules limit actions to the local TRÅDFRI gateway and ask for confirmation on bulk/house actions; the script reads local config.json and environment variables. The instructions do not direct data to external endpoints beyond the gateway, nor do they ask to read unrelated system files.
ℹ 安装机制
This is instruction-only (no autoinstall spec). The user is told to run `npm install` in the skill folder to install node-tradfri-client. No downloads from untrusted URLs or remote extract/install steps are present. The lack of an install spec and the requirement to run npm manually is normal but should be noted by the user.
ℹ 凭证需求
The script legitimately needs only local gateway credentials (identity/psk) and the gateway host. Those are the only sensitive values used. However, the registry metadata did not declare these environment variables or the implicit Node requirement; additionally the script accepts extra tuning env vars (TRADFRI_SETTLE_MS, TRADFRI_RETRIES, TRADFRI_RETRY_DELAY_MS) that are not documented in the registry metadata. This is a proportional but partly undocumented set of env vars.
✓ 持久化与权限
The skill is not always-enabled, does not request elevated platform privileges, and does not modify other skills or global agent configuration. It runs as a local script when invoked and therefore has only the privileges of the process that executes it.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.2.02026/4/4
Add retries, settle-delay verification, floor commands, and layout presets with device-level checks.
● 无害
安装命令
点击复制官方npx clawhub@latest install tradfri-lights
镜像加速npx clawhub@latest install tradfri-lights --registry https://cn.longxiaskill.com