中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:23 hr ago Rescan
5 /100
lg-thinq-universal
Universal LG ThinQ device manager. Discovers appliances and generates secure, device-specific OpenClaw skills for home automation.
Legitimate LG ThinQ device manager and skill generator with fully declared capabilities, strong credential isolation, manifest-based user consent, and allowlist input sanitization. No malicious behavior detected.
Skill Namelg-thinq-universal
Duration43.1s
Enginepi
Safe to install
Skill is safe to use. No blocking issues found. Consider pinning exact dependency versions in requirements.txt for improved supply chain hygiene.

Findings 2 items

Severity Finding Location
Low
Dependencies not pinned to exact versions Supply Chain
requirements.txt uses >= constraints for both requests and python-dotenv. While both are widely-used, established libraries, version ranges theoretically allow a compromised newer version to be installed.
python-dotenv>=1.0.0
requests>=2.25.0
→ Pin to exact versions: requests==2.31.0 and python-dotenv==1.0.1 for reproducibility and supply chain integrity.
 requirements.txt:1
Low
Environment variable access not declared in SKILL.md Doc Mismatch
The SKILL.md does not explicitly list environment variable read access as a required capability, though scripts read LG_PAT, LG_COUNTRY, LG_DEVICE_ID, LG_API_KEY, etc. This is a functional requirement and not sensitive data exfiltration.
PAT = os.getenv("LG_PAT") # lg_api_tool.py:39
→ Add 'env: READ' to the capability declaration in SKILL.md metadata for completeness, though the information is not exfiltrated.
 SKILL.md:1
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned SKILL.md declares network for PyPI and LG ThinQ API; all HTTP calls target known…
Filesystem WRITE WRITE ✓ Aligned SKILL.md explicitly describes file write operations for workspace assembly; all …
Shell WRITE WRITE ✓ Aligned SKILL.md declares install: ./setup.sh and manifests all shell operations (venv c…
Environment NONE READ ✓ Aligned Scripts read LG_PAT, LG_COUNTRY, LG_DEVICE_ID from os.environ — functional requi…
5 findings
🔗
Medium External URL 外部 URL
https://connect-pat.lgthinq.com
README.md:19
🔗
Medium External URL 外部 URL
https://api-kic.lgthinq.com/route
references/api-reference.md:86
🔗
Medium External URL 外部 URL
https://api-aic.lgthinq.com/route
references/api-reference.md:89
🔗
Medium External URL 外部 URL
https://api-eic.lgthinq.com/route
references/api-reference.md:90
🔗
Medium External URL 外部 URL
https://api-kic.lgthinq.com
references/api-reference.md:110

File Tree

18 files · 85.3 KB · 2416 lines
Markdown 9f · 1127L Python 4f · 1015L Shell 1f · 262L JSON 3f · 10L Text 1f · 2L
├─ 📁 profiles
│ ├─ 📋 device_2f33f24132bcda13eb1662061ddf64999c4fb3866207c6d417473425a76da8a5.json JSON 1L · 3.1 KB
│ └─ 📋 devices.json JSON 8L · 317 B
├─ 📁 references
│ ├─ 📝 api-reference.md Markdown 284L · 7.6 KB
│ ├─ 📝 device-example.md Markdown 159L · 4.0 KB
│ ├─ 📝 device-skill-template.md Markdown 43L · 1.5 KB
│ ├─ 📝 manual-setup.md Markdown 219L · 5.1 KB
│ ├─ 📋 public_api_constants.json JSON 1L · 242 B
│ ├─ 📝 skill-creation.md Markdown 70L · 2.7 KB
│ └─ 📝 skill-generation-guide.md Markdown 103L · 3.0 KB
├─ 📁 scripts
│ ├─ 🐍 assemble_device_workspace.py Python 337L · 13.0 KB
│ ├─ 🐍 generate_control_script.py Python 275L · 10.1 KB
│ └─ 🐍 lg_api_tool.py Python 323L · 10.5 KB
├─ 🐍 lg_control_test.py Python 80L · 2.8 KB
├─ 📝 openclaw-feedback.md Markdown 41L · 3.1 KB
├─ 📝 README.md Markdown 105L · 4.5 KB
├─ 📄 requirements.txt Text 2L · 38 B
├─ 🔧 setup.sh Shell 262L · 8.4 KB
└─ 📝 SKILL.md Markdown 103L · 5.4 KB

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
requests >=2.25.0 pip No Version not pinned; widely-used library with no known vulnerabilities at current version
python-dotenv >=1.0.0 pip No Version not pinned; widely-used library for .env management

Security Positives

✓ Credential isolation enforced: LG_PAT never written to skill directories, only LG_DEVICE_ID is placed in local .env
✓ Manifest-based consent flow: setup.sh and assemble_device_workspace.py require --confirm flag and display all pending actions to user before execution
✓ Allowlist input sanitization: generate_control_script.py uses re.sub with [^a-zA-Z0-9_] pattern to sanitize all user-provided property names before code generation
✓ No obfuscation: No base64 encoding, no eval(), no obfuscated strings anywhere in the codebase
✓ No sensitive path access: Scripts do not access ~/.ssh, ~/.aws, .env in parent directories, or other credential stores
✓ No data exfiltration: All network traffic is to legitimate LG ThinQ API endpoints; PAT is only sent to authorized LG servers
✓ No remote code execution: shell usage is limited to documented local operations (venv creation, pip install, Python script execution)
✓ No hidden HTML/JSON payloads or steganographic content in binary assets
✓ Controlled subprocess usage with explicit command construction, no shell=True with unsanitized user input
✓ Proper error handling with structured JSON responses throughout all scripts