Skillv0.1.1

ClawScan security

Meshtastic Detection · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 8:54 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill's code, instructions, and requirements are consistent with its stated purpose (reading Meshtastic DETECTION_SENSOR_APP messages over USB, storing them locally, and alerting via OpenClaw/Feishu); nothing requested looks disproportionate or unrelated.
Guidance: This skill appears to do exactly what it claims: read detection messages from a Meshtastic USB device, store them locally, and trigger OpenClaw/Feishu alerts. Before installing, review setup.sh (it may download get-pip.py and runs pip install), confirm you are comfortable granting the service access to the serial device (systemd/launchd install or Docker with device mapping and optional privileged mode), and ensure the OpenClaw cron is configured to deliver to the correct Feishu open_id. If you run this on a shared/production host, prefer installing as an unprivileged user with explicit device mappings and inspect the Python dependencies (meshtastic, pypubsub) from PyPI if you require stricter supply-chain auditing.

Review Dimensions

Purpose & Capability: okName/description match the files and scripts: usb_receiver.py listens on a USB serial device for DETECTION_SENSOR_APP messages, sensor_cli.py and event_monitor.py query/read the local JSONL store, and cron/OpenClaw are used to deliver Feishu alerts. Required binaries (Python 3.10+) are appropriate and expected.
Instruction Scope: okSKILL.md instructs the agent to run the provided scripts, set up a venv, and create an OpenClaw cron job that runs event_monitor.py. The instructions only reference local files, the serial device, and OpenClaw's messaging delivery; they do not instruct reading unrelated system files or exfiltrating data to unknown endpoints.
Install Mechanism: noteNo formal registry install spec is present; installation is via the included setup.sh which creates a venv and pip-installs requirements from PyPI. setup.sh may download get-pip.py from https://bootstrap.pypa.io if necessary (a known source). This is expected for a Python-based project, but the user should review setup.sh before running to confirm the network fetch and sudo/apt steps are acceptable in their environment.
Credentials: okThe skill requests no secrets/env vars in the registry metadata. The code optionally respects MESH_SERIAL_PORT and MESH_DATA_DIR environment variables (reasonable). The skill references Feishu delivery via OpenClaw cron but does not ask for Feishu tokens itself (OpenClaw handles delivery), which is coherent.
Persistence & Privilege: notealways is false and model invocation is allowed (platform default). The project offers installing a systemd/launchd service and a Docker entrypoint; the Docker example shows 'privileged: true' and device mappings, which are typical for direct serial device access but grants broad host device privileges. Installing system services requires elevated privileges (sudo). Users should be aware and approve these actions before installing.