← Back to Skills Marketplace
446
Downloads
1
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install openclaw-skill-red-alert
Description
Israeli Home Front Command alerts - fully OpenClaw native. No Home Assistant. No wacli. No Docker monitor. OpenClaw handles everything: WhatsApp + TTS.
Usage Guidance
Before installing: 1) Verify the source/trustworthiness of the Docker image dmatik/oref-alerts (inspect the image contents or vendor) — pulling an untrusted container runs arbitrary code. 2) Confirm you have a legitimate OpenClaw CLI and understand that the skill will call it via subprocess. 3) Inspect and control environment values: avoid using real HASS_TOKEN or other production credentials during testing; note that install.sh writes env values into crontab (which may expose secrets), so prefer a safer startup mechanism (systemd unit with protected env file or run under an unprivileged user). 4) Investigate the unexpected defaults in the code (HA_URL defaulting to https://ha.right-api.com and the embedded WHATSAPP_OWNER number) — change them or remove them before running. 5) If you want to proceed, run the monitor in an isolated test environment (non‑privileged account, VM/container) and manually review the Docker image and the Python script for any network calls or data exfiltration you don't expect. 6) If you are not comfortable auditing the Docker image or the script, do not install on production systems that hold sensitive credentials or data.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-skill-red-alert
Version: 1.1.0
The `install.sh` script contains a critical shell injection vulnerability. User-provided input for environment variables (e.g., MONITORED_AREAS, WHATSAPP_GROUP_JID, HASS_TOKEN) is written to a `.env` file without proper sanitization. This `.env` file is then `source`d and its contents are processed by `export $(cat ... | xargs)` and `tr` to construct a crontab entry, allowing for arbitrary command execution if malicious input is provided during the interactive setup. Additionally, the `install.sh` script establishes persistence via `nohup` and `@reboot` crontab entries, and pulls a third-party Docker image (`dmatik/oref-alerts:latest`), introducing supply chain risk.
Capability Assessment
Purpose & Capability
The skill's code and installer clearly require an OpenClaw CLI, Docker, and optional Home Assistant / 3CX endpoints, but the registry metadata declares no required binaries or environment variables — that's a mismatch. The functionality (polling an OREF proxy, sending WhatsApp via OpenClaw, TTS and optional 3CX calls) is coherent with the description, but the packaging/metadata understates the actual dependencies and privileges.
Instruction Scope
SKILL.md and install.sh instruct the agent/user to run a persistent Python monitor, add an @reboot crontab entry, and run a Docker proxy. The runtime code posts to external endpoints (CX3_API and HA_URL) and invokes the OpenClaw CLI via subprocess. The instructions persist long‑running processes, write logs to /var/log/oref_native.log, and place full environment assignments into the crontab line — which can expose secrets. There is an unexpected default HA_URL (https://ha.right-api.com) in the code (not documented in README), which is surprising and should be verified.
Install Mechanism
install.sh pulls a Docker image (dmatik/oref-alerts:latest) from Docker Hub and runs it as a proxy. Downloading and running an unreviewed third‑party container is higher risk because arbitrary code runs on the host. The script also runs pip install for Python packages and modifies crontab and starts background processes. No digital signature or verified release host is provided for the docker image.
Credentials
The code expects and uses multiple environment values (OPENCLAW_BIN, OREF_API_URL, MONITORED_AREAS, WHATSAPP_GROUP_JID, WHATSAPP_OWNER, HASS_SERVER, HASS_TOKEN, CX3_API, CX3_EXTENSION, etc.), but the registry lists none. Sensitive values (HASS_TOKEN, CX3 configuration) may be stored in .env and then embedded into the crontab string, which increases exposure. The code also embeds a default WHATSAPP_OWNER phone number and a default HA_URL pointing to an external domain — unexpected and should be questioned.
Persistence & Privilege
The installer adds an @reboot crontab entry that includes full environment assignments and starts a persistent background monitor (nohup &). It also creates a Docker container that restarts unless stopped. While persistence is consistent with a monitoring service, writing env values (including tokens) into crontab and placing long‑running processes under root paths (/root/.openclaw/...) increases the attack surface and the chance of unintended credential exposure.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-skill-red-alert - After installation, invoke the skill by name or use
/openclaw-skill-red-alert - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
OpenClaw native Israeli red alert system - WhatsApp + TTS + area filter
v1.0.1
OpenClaw native Israeli red alert system
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Red Alert (Israel)?
Israeli Home Front Command alerts - fully OpenClaw native. No Home Assistant. No wacli. No Docker monitor. OpenClaw handles everything: WhatsApp + TTS. It is an AI Agent Skill for Claude Code / OpenClaw, with 446 downloads so far.
How do I install Red Alert (Israel)?
Run "/install openclaw-skill-red-alert" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Red Alert (Israel) free?
Yes, Red Alert (Israel) is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Red Alert (Israel) support?
Red Alert (Israel) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Red Alert (Israel)?
It is built and maintained by shaike1 (@shaike1); the current version is v1.1.0.
More Skills