v1.0.4

Clawshorts Pkg

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:16 AM.

Analysis

The skill mostly matches its stated purpose, but it installs a persistent Fire TV control daemon and includes an unsafe helper validation path that could execute unintended local code if given a malicious IP string.

GuidanceInstall only if you want a persistent local daemon controlling your Fire TV through ADB. Keep ADB limited to a trusted network, use the documented primary commands, avoid passing untrusted text as an IP address, and review or patch the bash daemon helper before relying on it.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityMediumConfidenceHighStatusConcern

scripts/clawshorts-daemon.sh

python3 -c "... ip = '$ip' ... if not re.match(..., ip): ..."

The helper validates an IP address by interpolating the raw shell variable into executable Python code before validation. A crafted value containing a quote could break out of the string if this helper is invoked directly with untrusted input.

User impactA malicious device address copied into this helper could run code on the user's computer under their account.

RecommendationUse the primary clawshorts.sh/Python CLI path, and fix this helper to pass the IP as an argument to Python instead of embedding it in code.

Rogue Agents

SeverityMediumConfidenceHighStatusNote

scripts/clawshorts.sh

<key>RunAtLoad</key> <true/> ... <key>KeepAlive</key> <true/> ... systemctl --user enable --now clawshorts.service

The install command creates a launchd or systemd user service that starts automatically and keeps the daemon running.

User impactAfter installation, the limiter can continue monitoring and blocking YouTube until the user stops or uninstalls it.

RecommendationRun install only if you want a persistent background blocker; verify the LaunchAgent/systemd service and keep the uninstall command available.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

scripts/clawshorts-daemon.sh

adb -s "$ip:5555" shell am force-stop "$YOUTUBE_PKG"

The daemon uses ADB shell commands to force-stop the YouTube app when the configured limit is reached.

User impactThis is the intended enforcement mechanism, but it gives the skill authority to change what is running on the Fire TV.

RecommendationOnly configure trusted Fire TV IPs and confirm the daily limit before enabling the daemon.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

README.md

ADB lets your computer control your Fire TV. Only enable this on a trusted home network.

The skill requires ADB debugging, which grants the computer control authority over the Fire TV.

User impactAnyone with ADB access on the same trusted path may be able to control the device, not just limit Shorts.

RecommendationEnable ADB only on a trusted home network and disable it if you no longer need the limiter.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

TROUBLESHOOTING.md

`~/.clawshorts/clawshorts.db` — your watch history ... `~/.clawshorts/ui-<IP>.xml` — Last UI hierarchy dump

The skill stores persistent local usage history and a last UI hierarchy dump from the Fire TV.

User impactLocal files may reveal device IPs, viewing-limit history, and some screen/UI state from the Fire TV.

RecommendationTreat ~/.clawshorts as private data and delete the database/log/UI dump files if you uninstall and do not want the history retained.