jettyd Security Report — Low Risk | ClawSafe

15 /100

jettyd

Interact with IoT devices via the jettyd platform — read sensors, send commands, manage rules, and list devices

A legitimate IoT device management skill for the jettyd platform. All functionality is declared, the implementation is clean, and there are no security violations. The only flag is a template password placeholder in documentation which is clearly illustrative.

Skill Namejettyd

Duration32.3s

Enginepi

✓

Safe to install

Approve for use. The hardcoded password placeholder in blueprint.md is a template example with no security impact — it is not actual credentials.

Findings 1 items

Severity	Finding	Location
Low	Template password placeholder in documentation Doc Mismatch blueprint.md line 58 contains CONFIG_JETTYD_WIFI_PASSWORD="YourNetworkPassword" — this is a clearly marked template/example string in a config file snippet, not actual credentials. It has no security impact as it is never parsed or used by the skill code. `CONFIG_JETTYD_WIFI_PASSWORD="YourNetworkPassword"` → No action needed. Replace with {{YOUR_WIFI_PASSWORD}} or similar placeholder notation in documentation to eliminate ambiguity.	`blueprint.md:58`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	jettyd-cli.js:42 — fetch to api.jettyd.com only
Filesystem	`READ`	`READ`	✓ Aligned	jettyd-cli.js:22-29 — reads ~/.openclaw/openclaw.json for API key; langchain_too…
Shell	`WRITE`	`NONE`	✓ Aligned	SKILL.md declares 'bins: node' for running the CLI; no subprocess/bash execution…

1 High 9 findings

🔑

High API Key 疑似硬编码凭证

PASSWORD="YourNetworkPassword"

blueprint.md:58

🔗

Medium External URL 外部 URL

https://jettyd.com

SKILL.md:14

🔗

Medium External URL 外部 URL

https://api.jettyd.com/v1

SKILL.md:15

🔗

Medium External URL 外部 URL

https://jettyd.com/docs/mcp

SKILL.md:150

🔗

Medium External URL 外部 URL

https://api.jettyd.com/v1/devices

blueprint.md:84

🔗

Medium External URL 外部 URL

https://api.jettyd.com/v1/devices/DEVICE_ID/config

blueprint.md:177

🔗

Medium External URL 外部 URL

https://api.jettyd.com/v1/webhooks

blueprint.md:200

🔗

Medium External URL 外部 URL

https://hooks.slack.com/...

blueprint.md:205

🔗

Medium External URL 外部 URL

https://docs.jettyd.com

blueprint.md:235

File Tree

6 files · 25.9 KB · 862 lines

Markdown 4f · 461L JavaScript 1f · 221L Python 1f · 180L

├─ ▾ 📁 examples

│ ├─ 🐍 langchain_tool.py Python 180L · 5.6 KB

│ └─ 📝 README.md Markdown 19L · 580 B

├─ ▾ 📁 references

│ └─ 📝 api-summary.md Markdown 50L · 1.7 KB

├─ ▾ 📁 scripts

│ └─ 📜 jettyd-cli.js JavaScript 221L · 8.1 KB

├─ 📝 blueprint.md Markdown 240L · 5.8 KB

└─ 📝 SKILL.md Markdown 152L · 4.1 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Only in langchain_tool.py example file, not required for the skill itself

Security Positives

✓ All network requests go to the single, declared endpoint api.jettyd.com — no data exfiltration

✓ No shell command execution, subprocess, or eval patterns found in the codebase

✓ No credential harvesting beyond the intended API key — environment and config file read are both declared and scoped

✓ No obfuscation techniques (no base64, no dynamic code loading, no anti-analysis patterns)

✓ No supply chain risk — no dependencies with unpinned versions or known vulnerabilities

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env) — only reads ~/.openclaw/openclaw.json as declared

✓ API key is used exclusively for Bearer token auth to the jettyd platform — not exfiltrated elsewhere

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives