Is jesserod329/philips-hue-thinking safe?

https://github.com/openclaw/skills/tree/main/skills/jesserod329/philips-hue-thinking

92
SAFE

This skill provides legitimate functionality for using Philips Hue lights as visual indicators of AI activity status. The code appears benign and purpose-appropriate, with only minor concerns around executable scripts and hardcoded configuration.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (4)

LOW Executable shell scripts included -10

The skill includes shell scripts (quick-setup.sh, hue-hooks.sh) that contain executable code for Hue light control integration

LOW Hardcoded IP address in setup script -5

The quick-setup.sh contains a hardcoded IP address (192.168.1.151) that may not work for all users

INFO Agent command execution requests -5

Skill documentation instructs the agent to execute 'hue' commands for light control

INFO Canary file access during monitoring -10

Monitoring detected access to canary files, but this appears to be the monitoring system itself rather than malicious skill behavior