Skillv1.0.3

ClawScan security

Private Web App (PWA) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 23, 2026, 1:18 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a local PWA dashboard (file browser, system monitor) and mostly matches its description, but there are several inconsistencies and actions (cloning/running an external install script, creating user services, broad system inspection, default file-root = home) that deserve manual review before installing.
Guidance: This package appears to be a legitimate personal dashboard, but several things should be checked before installing: - Do not blindly run scripts/install.sh that you cloned from the network. Inspect the contents of scripts/install.sh and scripts/install.py in the bundle (they are included) and confirm they do what you expect. Prefer installing from the bundled files rather than re-cloning the remote repo unless you trust that remote source. - Review the systemd/launchd service file the installer creates. Make sure the server is bound to localhost or your intended interface and not exposed publicly unless you intend it and have firewall/Tailscale configured securely. - The default file browser root is the user's home directory (~). If you plan to use the file browser, set file_browser.root to a restrictive folder to avoid exposing sensitive files (e.g., point it at a dedicated directory). The file browser allows reading and downloading files under that root. - The system monitor runs system commands (systemctl, pgrep, lspci, nvidia-smi) and reads sysfs to enumerate services and hardware. That's expected, but it also discloses local hostnames, running services, and other metadata — treat that data as sensitive and limit network exposure. - The app generates and stores VAPID keys and push subscription data in ~/.local/share/privateapp. Ensure file permissions are appropriate and that you understand where keys are kept. - Investigate scripts/commons/openclaw_client.py and any networking code to verify whether the app will call external services or endpoints you don't expect. If you do not want outbound network calls, block them during install or run in an isolated environment (VM/container) first. If anything in the install script or service files looks surprising (creating global system services, changing firewall, registering with third-party services), do not enable the service until you understand and approve those actions.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md implement a personal PWA dashboard with a FastAPI backend and React frontends (file browser, system monitor). That matches the skill name/description. However the metadata claims no runtime requirements or install steps while SKILL.md explicitly requires Python 3.9+ and Node 18+ and instructs cloning and running scripts/install.sh. Also the bundled package already contains the same source files, yet the instructions tell the user to git clone a remote repo — this mismatch is unexpected and should be clarified.
Instruction Scope: concernRuntime instructions tell the user to clone https://github.com/camopel/PrivateApp and run scripts/install.sh which creates a venv, builds frontends, and installs a systemd user service or launchd plist. The backend apps perform broad local actions: the file browser reads and downloads files under a configured root (default: home), and the system monitor inspects systemd units, runs systemctl/pgrep/lspci/nvidia-smi, and reads sysfs. These behaviors are consistent with a dashboard but involve reading potentially sensitive user files and enumerating/running system commands. The instruction to run a remote install script (rather than using bundled code) is particularly risky because it executes code fetched from the network.
Install Mechanism: concernThere is no declared install spec in the registry, yet SKILL.md instructs cloning a GitHub repo and running scripts/install.sh. The skill bundle already contains many source files, so cloning an external repo is redundant and raises the question: which code will actually be run? Running install.sh (an archive-provided shell script) can write files, create services, and execute arbitrary commands. Cloning from GitHub (a well-known host) is less risky than an arbitrary URL, but executing an install script taken from the network without review is high-risk.
Credentials: noteThe registry lists no required environment variables or credentials. The project uses VAPID keys for push (install prompts for an email and generates keys stored in ~/.local/share/privateapp) and may optionally configure Tailscale for external access. No secret env vars are requested by the skill metadata, but the installed service will store keys and holds access to local files and system service state. Ensure you understand where keys and subscription data are stored and who can access the running service.
Persistence & Privilege: noteThe installer creates a persistent user service (systemd user unit or launchd plist) that runs the server on boot for the user. 'always' is not set in the skill metadata. Creating a user-level service and optionally configuring Tailscale/HTTPS are expected for a personal dashboard, but this grants the skill ongoing presence on the machine and network exposure — review the service configuration and network binding (host/port) before enabling.