Is jgm2025/devialet safe?

https://github.com/openclaw/skills/tree/main/skills/jgm2025/devialet

88
SAFE

This skill provides legitimate functionality for controlling Devialet speakers via HTTP API and Spotify integration. While it contains executable scripts and makes network requests, the code appears well-intentioned and follows standard patterns for device control and music service integration.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

MEDIUM Executable shell scripts with network access -25

The skill contains bash scripts that execute curl commands to make HTTP requests to user-specified IP addresses and external APIs. While the functionality appears legitimate for speaker control, executable code always presents some risk.

LOW External network communication -15

The skill communicates with external Spotify API endpoints and requires OAuth token storage. This is standard for music service integration but involves credential handling.

INFO Local network device communication -15

The skill is designed to communicate with Devialet speakers on the local network, which could theoretically be used for network discovery if the IP parameter is manipulated.