Skillv0.2.0

ClawScan security

Apple Books · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 8, 2026, 8:38 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it contains only read-only sqlite3 queries against the local Apple Books SQLite databases on macOS and requests no external credentials or installs — but it accesses sensitive personal data and requires Full Disk Access, so only install if you trust the author.
Guidance: This skill appears to do exactly what it says — run read-only sqlite3 queries against your local Apple Books databases — but it accesses sensitive personal content (books, highlights, notes) and requires granting Full Disk Access to the process that runs these commands. Before installing: (1) verify you trust the skill's source/homepage and the publisher (provenance in _meta.json differs from registry metadata); (2) prefer running the shown sqlite3 commands locally yourself in Terminal first so you can inspect results and confirm behavior; (3) do not grant Full Disk Access to untrusted agents or skills; (4) be aware that SEARCH_TERM/ASSET_ID are substituted directly into SQL strings — avoid entering untrusted or unexpected values if you don't want broader reads; and (5) if you need stricter isolation, run these commands in a separate macOS user account or machine where you control permissions.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: the SKILL.md shows sqlite3 SELECT queries against Apple Books DB files under ~/Library/Containers/com.apple.iBooksX. Required binary (sqlite3) and macOS-only constraint are appropriate. Minor provenance inconsistency: _meta.json lists ownerId "local" and version 0.1.0 while registry metadata shows a different owner and version 0.2.0; this is a bookkeeping/provenance mismatch but does not contradict the skill's stated purpose.
Instruction Scope: noteAll instructions are limited to reading local SQLite files and explicitly warn against writes. No network endpoints or external uploads are used. However: (1) the skill requires Full Disk Access for the executing process — a sensitive OS permission that grants access to user data; (2) queries are built by simple string substitution (e.g., replacing SEARCH_TERM or ASSET_ID) rather than parameterized statements, so crafted inputs could cause broader/unexpected SQL reads within those databases; and (3) because this reads personal highlights/notes, it exposes sensitive content if the agent prints or transmits results. These behaviors are expected for the stated purpose but have privacy implications.
Install Mechanism: okNo install spec and no code files (instruction-only). This minimizes installation risk — nothing is downloaded or written to disk by the skill itself.
Credentials: okThe skill requests no environment variables or external credentials, which is appropriate. The notable privilege is an OS-level requirement: Full Disk Access is necessary to read the Books DB files; this is proportionate for the stated function but high-impact for privacy.
Persistence & Privilege: okalways:false (not force-included) and normal model invocation permissions. The skill does not request persistent system changes, nor does it modify other skills or system-wide config. Autonomous invocation is allowed by platform default — combined with Full Disk Access this increases potential blast radius only if you grant that permission to a compromised/untrusted skill.