Is manisaigaddam/weather-esp32 safe?

https://github.com/openclaw/skills/tree/main/skills/manisaigaddam/weather-esp32

76
CAUTION

This ESP32 weather sensor skill presents moderate security risks due to a default external URL that could collect user data and the ability to make HTTP requests to arbitrary IP addresses. While the core functionality appears legitimate for IoT sensor integration, the external data collection potential and network probing capabilities raise security concerns.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (4)

HIGH Default External URL for Data Collection -35

The skill includes a default external URL (trycloudflare.com) that could be used to collect sensor data, IP addresses, and usage patterns without user awareness.

MEDIUM Arbitrary Network Access -15

The skill allows users to specify arbitrary IP addresses for HTTP requests, potentially enabling internal network reconnaissance or data exfiltration to external servers.

MEDIUM Role Assignment Instruction -15

The skill contains instructions that assign a specific role/persona to the agent, which could override system instructions or user preferences.

LOW Network Reconnaissance Potential -15

The skill's ability to probe arbitrary IP addresses could be misused for internal network discovery or unauthorized network scanning.