Is felipeouropreto/ulanzi-tc001 safe?

https://github.com/openclaw/skills/tree/main/skills/felipeouropreto/ulanzi-tc001

89
SAFE

The felipeouropreto/ulanzi-tc001 skill is a legitimate, well-scoped IoT controller for the Ulanzi TC001 pixel clock device. The SKILL.md contains no prompt injection content, the Python implementation makes no attempts to access sensitive files or exfiltrate data, and the clone process behaved normally with no persistent backdoors. The primary security concerns are a disabled SSL certificate verification in the weather command and the transmission of credentials (YouTube API key) over unencrypted HTTP to the local device — both minor issues typical of hobbyist IoT tooling rather than indicators of malicious intent.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 83/100 · 5%

Findings (6)

MEDIUM SSL Certificate Verification Disabled in Weather Command -10

The cmd_weather() function creates an unverified SSL context via ssl._create_unverified_context() before contacting external geocoding and weather APIs. This disables server certificate validation, making the connection vulnerable to man-in-the-middle attacks on untrusted networks. While the data involved is weather information (low sensitivity), this pattern is a security anti-pattern and could expose network traffic metadata.

LOW External API Calls to Weather Service -8

The 'weather' subcommand contacts two external Open-Meteo API endpoints to geocode a city name and retrieve current conditions. While Open-Meteo is a legitimate public API, this represents outbound data flow that users may not anticipate from an 'IoT device controller' skill. The city name queried by the user is transmitted externally.

LOW Credentials Transmitted Over Plain HTTP to Local Device -5

The 'app youtube_apikey' command (and similar credential fields) POSTs sensitive values to the TC001 device at http:/// without TLS. On a local network this is generally acceptable, but the lack of any encryption notice in SKILL.md may surprise users who expect their API keys to be protected in transit.

LOW Canary Files Accessed Post-Install -8

Auditd records show all six canary credential files (.env, id_rsa, .aws/credentials, .npmrc, docker config, gcloud credentials) were opened approximately 12 seconds after skill installation completed (audit timestamp 1771934747.098). However, the access pattern — all six files at the same millisecond in the same order as the pre-install baseline scan — is consistent with the oathe framework's own canary verification sweep, not the skill. Canary integrity confirmed intact.

INFO Executable Python Script — Expected and Documented -3

The skill includes scripts/tc001.py which is explicitly documented in SKILL.md. The script uses only stdlib modules (urllib, json, argparse, re, os, sys, ssl) with no dynamic imports or subprocess execution. The presence of executable code is expected and appropriate for this skill type.

INFO Secondary AWTRIX Service Integration -3

The weather command posts results to an AWTRIX LED matrix server (default 192.168.1.19:17000) in addition to the TC001 device. This secondary local service is documented in config.json but not prominently in SKILL.md. Agents using this skill will make additional local network requests beyond what the primary device description implies.