← Back to Skills Marketplace
enchantedmotorcycle

Mqtt Client

by enchantedmotorcycle · GitHub ↗ · v1.0.7
cross-platform ⚠ suspicious
2416
Downloads
0
Stars
6
Active Installs
8
Versions
Install in OpenClaw
/install mqtt-client
Description
This is a simple client for connecting to an mqtt instance
Usage Guidance
Do not run this skill as-is against real brokers or with real credentials. Key concerns: (1) bootstrap.sh hardcodes a /home/jc/.openclaw/... path and activates a venv that may not exist; (2) the script sources an .env (not listed in required envs) and run.py reads MQTT_USERNAME and MQTT_PASSWORD—inspect that .env to ensure it doesn't contain secrets you don't want exposed; (3) run.py subscribes to all topics ('#') and logs message payloads to stdout (logs may be aggregated or retained); (4) requirements.txt lists paho.mqtt but there's no automated pip install—ensure dependencies are installed in an isolated environment. Recommended steps before installing: inspect or create the .env contents, replace hard-coded paths with relative or runtime-determined paths, add explicit install steps (pip install -r requirements.txt) or documentation, enumerate required env vars in the skill manifest, and run the client in an isolated environment (container or throwaway VM) connected to a test broker. If you need stronger assurance, ask the author to remove absolute paths, explicitly declare required env vars, and provide a proper install script that creates a venv and installs dependencies.
Capability Analysis
Type: OpenClaw Skill Name: mqtt-client Version: 1.0.7 The skill is classified as suspicious primarily due to the `source .env` command in `scripts/bootstrap.sh`. While intended for loading configuration, this command executes arbitrary shell commands found within the `.env` file. As the `.env` file is part of the skill bundle, a malicious skill developer could embed harmful shell commands (e.g., for data exfiltration or system modification) within it, which would then be executed by the agent. This represents a significant arbitrary code execution risk, even though the provided `run.py` script appears benign and uses environment variables for legitimate MQTT connection details.
Capability Assessment
Purpose & Capability
The name/description match the included Python code (a simple MQTT subscriber). However the SKILL.md and files contradict the declared requirements: SKILL.md claims 'no parameters' and 'no required env vars', yet run.py reads MQTT_BROKER, MQTT_PORT, MQTT_TOPIC, MQTT_USERNAME, and MQTT_PASSWORD from the environment. bootstrap.sh expects a pre-created venv and an .env in a hard-coded /home/jc/.openclaw/... workspace path. These environment/config expectations are not declared in the skill metadata and look disproportionate to the stated 'simple client' purpose.
Instruction Scope
SKILL.md instructs running scripts/bootstrap.sh which sources an absolute path and an .env, then runs run.py. run.py subscribes to all topics ('#') and logs message payloads to stdout. The instructions do not document what .env must contain or where logs go. The agent would therefore load unspecified environment variables and could receive broad message traffic (potentially sensitive), contrary to the claim that 'no parameters' are required.
Install Mechanism
There is no install spec. requirements.txt lists paho.mqtt but bootstrap.sh does not install it nor create the venv; instead bootstrap.sh activates a venv at a hard-coded absolute path. That makes the script brittle and indicates the package expects a pre-initialized developer environment rather than a proper install step. This is an operational risk (will fail silently or unexpectedly) and increases the chance of accidental exposure if you run it without checking.
Credentials
The skill declares no required environment variables, yet run.py relies on multiple MQTT-related env vars (including username/password) and bootstrap.sh sources an .env file. Requiring unspecified secrets (via an .env) without declaring them is disproportionate and a transparency issue. Additionally, subscribing to '#' can surface many messages—if those messages are sensitive they could be logged where agent logs are collected.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It runs a short-lived (60s) background loop and performs no persistent configuration changes. Persistence/privilege level is appropriate.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install mqtt-client
  3. After installation, invoke the skill by name or use /mqtt-client
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.7
- Improved environment variable handling: bootstrap.sh now automatically loads .env file for connection details. - Updated documentation in SKILL.md to clarify .env loading behavior. - No functional changes to core client logic.
v1.0.6
- No user-facing changes; documentation and functionality remain the same. - File scripts/bootstrap.sh was modified, but the skill description and usage are unchanged.
v1.0.5
- Updated documentation to clarify that no parameters are required to use the skill. - Added instructions for using `scripts/bootstrap.sh` to set up the Python environment and connect to MQTT. - Updated resource section to reflect changes in setup and execution instructions.
v1.0.4
- Updated scripts/bootstrap.sh (details not specified) - No changes to documentation or core functionality.
v1.0.3
- Added bootstrap script: scripts/bootstrap.sh to assist with setup or initialization tasks.
v1.0.2
- Added requirements.txt to specify Python package dependencies for the skill.
v1.0.1
- Improved SKILL.md formatting with a more visible "# mqtt-client" header. - No changes to functionality; documentation update only.
v1.0.0
mqtt-client 1.0.0 - Initial release of a simple MQTT client. - Maintains a background connection to a specified MQTT queue and tracks messages. - Connection details are loaded from environment variables. - Run the client using scripts/run.py.
Metadata
Slug mqtt-client
Version 1.0.7
License
All-time Installs 6
Active Installs 6
Total Versions 8
Frequently Asked Questions

What is Mqtt Client?

This is a simple client for connecting to an mqtt instance. It is an AI Agent Skill for Claude Code / OpenClaw, with 2416 downloads so far.

How do I install Mqtt Client?

Run "/install mqtt-client" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Mqtt Client free?

Yes, Mqtt Client is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Mqtt Client support?

Mqtt Client is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Mqtt Client?

It is built and maintained by enchantedmotorcycle (@enchantedmotorcycle); the current version is v1.0.7.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments