Texas Electricity Savings Monitor

OpenClaw-optimized skill for Texas residential electricity shopping, address completion, candidate confirmation, ESIID lookup, usage estimation, plan recomme...

This skill appears to do what it says (address normalization, candidate confirmation, usage and plan lookups) and calls upstream services to fetch data. However, the code contains a hard-coded API bearer token and will send user addresses to powerlego.com/personalized.energy without asking for credentials. Consider these steps before installing: 1) Only install if you trust the owner (Personalized Energy) and their privacy practices. 2) Ask the publisher to confirm the embedded token's scope and that it is safe to share (or preferable: replace the hard-coded token with an environment-configured credential you control). 3) Confirm what user data is sent upstream and whether it is logged, stored, or linked to the token. 4) If you cannot verify the token provenance, avoid installing or request a version that requires the integration token be provided via an environment variable so it is auditable and can be revoked/rotated. 5) If you proceed, monitor for unexpected behavior and consider limiting the skill's use to non-sensitive address queries until you are satisfied with the publisher's responses.

Type: OpenClaw Skill Name: texas-electricity-savings-monitor-openclaw Version: 1.0.0 The skill bundle is classified as suspicious due to the presence of a hardcoded API bearer token in `scripts/powerlego_api.py`, which represents a significant security vulnerability (CWE-798). While the agent instructions in `SKILL.md` and the logic across the Python scripts (e.g., `scripts/fetch_best_plan.py` and `scripts/lookup_candidate_addresses.py`) are functionally consistent with the stated purpose of Texas electricity plan monitoring and show no evidence of malicious intent or data exfiltration, the inclusion of static credentials qualifies the bundle as suspicious under the provided criteria.