Claw Use — Device Control for AI Agents
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill openly aims to let agents control real devices, but it grants broad screen-reading, notification access, app control, messaging, remote access, and auto-unlock powers with little scoping or reviewed implementation.
Install only if you intentionally want an agent to control a real device. Prefer a dedicated test device, restrict network access, protect tokens and PINs, require confirmation for actions that type/send/open/unlock, and verify the external `cu` CLI and device server before use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could operate a real phone or other device, including typing into apps, opening links, and changing device state.
The skill exposes broad device-control commands that can tap, type, launch apps, open URLs, send platform intents, and lock or unlock a physical device. These powers are central to the purpose, but the artifacts do not bound when the agent may use them or require confirmation for high-impact actions.
cu tap <x> <y> ... cu type "text" ... cu launch <app> ... cu open <url> ... cu intent '<json>' ... cu lock / cu unlock
Use only with trusted devices and sessions; require explicit confirmation for mutating actions such as typing, sending, unlocking, opening URLs, or launching apps.
The agent could perform actions under the user's identity on apps already signed in on the device, such as messaging, browsing, or account changes.
The skill relies on device access tokens and can unlock devices using a PIN, yet the registry declares no primary credential or required environment variables. Once connected, the agent may act through logged-in device apps and accounts.
cu add redmi 192.168.0.105 <token> ... cu lock / cu unlock # lock/unlock (PIN required for unlock)
Use a dedicated test device or limited account, protect and rotate device tokens, avoid storing PINs where the agent can access them, and revoke access when not in use.
Private information visible on the device or in notifications could be exposed to the agent context or saved as screenshots.
The skill can bring device UI text, screenshots, and notifications into the agent context. Those sources may contain private messages, one-time codes, account information, or untrusted app content, and the artifacts do not describe filtering, retention, or user approval boundaries.
cu screen # UI tree (semantic: element text, bounds, state) cu screenshot # visual capture (JPEG, configurable quality) cu notifications # system notifications
Disable or limit notifications, avoid using the skill on devices with sensitive content, and require user approval before screenshots or screen/notification reads.
Users must trust external software not included in the skill artifacts before giving an agent physical-device control.
The reviewed package contains only instructions, while the core high-impact functionality depends on an external CLI and device implementation. The registry also lists no install spec or required binary, so the executable code that controls devices is outside this review context.
- `cu` CLI installed (ships with claw-use-android, or install standalone)
Install `cu` only from a trusted, pinned source; verify the device implementation; and treat the static scan result as not covering the external CLI or server.