← 返回 Skills 市场
446
总下载
1
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install openclaw-skill-red-alert
功能描述
Israeli Home Front Command alerts - fully OpenClaw native. No Home Assistant. No wacli. No Docker monitor. OpenClaw handles everything: WhatsApp + TTS.
安全使用建议
Before installing: 1) Verify the source/trustworthiness of the Docker image dmatik/oref-alerts (inspect the image contents or vendor) — pulling an untrusted container runs arbitrary code. 2) Confirm you have a legitimate OpenClaw CLI and understand that the skill will call it via subprocess. 3) Inspect and control environment values: avoid using real HASS_TOKEN or other production credentials during testing; note that install.sh writes env values into crontab (which may expose secrets), so prefer a safer startup mechanism (systemd unit with protected env file or run under an unprivileged user). 4) Investigate the unexpected defaults in the code (HA_URL defaulting to https://ha.right-api.com and the embedded WHATSAPP_OWNER number) — change them or remove them before running. 5) If you want to proceed, run the monitor in an isolated test environment (non‑privileged account, VM/container) and manually review the Docker image and the Python script for any network calls or data exfiltration you don't expect. 6) If you are not comfortable auditing the Docker image or the script, do not install on production systems that hold sensitive credentials or data.
功能分析
Type: OpenClaw Skill
Name: openclaw-skill-red-alert
Version: 1.1.0
The `install.sh` script contains a critical shell injection vulnerability. User-provided input for environment variables (e.g., MONITORED_AREAS, WHATSAPP_GROUP_JID, HASS_TOKEN) is written to a `.env` file without proper sanitization. This `.env` file is then `source`d and its contents are processed by `export $(cat ... | xargs)` and `tr` to construct a crontab entry, allowing for arbitrary command execution if malicious input is provided during the interactive setup. Additionally, the `install.sh` script establishes persistence via `nohup` and `@reboot` crontab entries, and pulls a third-party Docker image (`dmatik/oref-alerts:latest`), introducing supply chain risk.
能力评估
Purpose & Capability
The skill's code and installer clearly require an OpenClaw CLI, Docker, and optional Home Assistant / 3CX endpoints, but the registry metadata declares no required binaries or environment variables — that's a mismatch. The functionality (polling an OREF proxy, sending WhatsApp via OpenClaw, TTS and optional 3CX calls) is coherent with the description, but the packaging/metadata understates the actual dependencies and privileges.
Instruction Scope
SKILL.md and install.sh instruct the agent/user to run a persistent Python monitor, add an @reboot crontab entry, and run a Docker proxy. The runtime code posts to external endpoints (CX3_API and HA_URL) and invokes the OpenClaw CLI via subprocess. The instructions persist long‑running processes, write logs to /var/log/oref_native.log, and place full environment assignments into the crontab line — which can expose secrets. There is an unexpected default HA_URL (https://ha.right-api.com) in the code (not documented in README), which is surprising and should be verified.
Install Mechanism
install.sh pulls a Docker image (dmatik/oref-alerts:latest) from Docker Hub and runs it as a proxy. Downloading and running an unreviewed third‑party container is higher risk because arbitrary code runs on the host. The script also runs pip install for Python packages and modifies crontab and starts background processes. No digital signature or verified release host is provided for the docker image.
Credentials
The code expects and uses multiple environment values (OPENCLAW_BIN, OREF_API_URL, MONITORED_AREAS, WHATSAPP_GROUP_JID, WHATSAPP_OWNER, HASS_SERVER, HASS_TOKEN, CX3_API, CX3_EXTENSION, etc.), but the registry lists none. Sensitive values (HASS_TOKEN, CX3 configuration) may be stored in .env and then embedded into the crontab string, which increases exposure. The code also embeds a default WHATSAPP_OWNER phone number and a default HA_URL pointing to an external domain — unexpected and should be questioned.
Persistence & Privilege
The installer adds an @reboot crontab entry that includes full environment assignments and starts a persistent background monitor (nohup &). It also creates a Docker container that restarts unless stopped. While persistence is consistent with a monitoring service, writing env values (including tokens) into crontab and placing long‑running processes under root paths (/root/.openclaw/...) increases the attack surface and the chance of unintended credential exposure.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install openclaw-skill-red-alert - 安装完成后,直接呼叫该 Skill 的名称或使用
/openclaw-skill-red-alert触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
OpenClaw native Israeli red alert system - WhatsApp + TTS + area filter
v1.0.1
OpenClaw native Israeli red alert system
v1.0.0
Initial release
元数据
常见问题
Red Alert (Israel) 是什么?
Israeli Home Front Command alerts - fully OpenClaw native. No Home Assistant. No wacli. No Docker monitor. OpenClaw handles everything: WhatsApp + TTS. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 446 次。
如何安装 Red Alert (Israel)?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-skill-red-alert」即可一键安装,无需额外配置。
Red Alert (Israel) 是免费的吗?
是的,Red Alert (Israel) 完全免费(开源免费),可自由下载、安装和使用。
Red Alert (Israel) 支持哪些平台?
Red Alert (Israel) 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Red Alert (Israel)?
由 shaike1(@shaike1)开发并维护,当前版本 v1.1.0。
推荐 Skills