ClawShorts
Security checks across malware telemetry and agentic risk
Overview
ClawShorts appears purpose-aligned and disclosed, but it uses ADB, a persistent background daemon, and local watch-history storage, so users should understand those effects before installing.
Before installing, make sure you are comfortable enabling ADB on your Fire TV, running a background daemon, and having YouTube automatically closed when the quota is reached. Use only private home-network IPs, review configured devices with `shorts list/status`, and uninstall or disable the daemon when you no longer want continuous enforcement.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with ADB access on the same network may be able to control the Fire TV, so enabling ADB changes the security posture of the device.
The skill requires ADB control of Fire TV devices. The warning is clear and purpose-aligned, but ADB access is a meaningful device-control permission boundary.
**ADB has no built-in authentication.** Only enable ADB Debugging on a **trusted, password-protected home network**.
Use only on a trusted home network, disable ADB when not needed, and avoid exposing Fire TV ADB to public or guest networks.
When the configured limit is reached, YouTube may close abruptly without an on-screen confirmation.
The limiter enforces quotas by issuing an ADB command that force-stops YouTube. This is central to the stated purpose, but it is an automatic high-impact action on the device.
adb -s "$ip:5555" shell am force-stop "$YOUTUBE_PKG"
Confirm the daily limits and enabled devices before starting the daemon, and use the documented stop/uninstall commands if enforcement is no longer desired.
The limiter can continue monitoring configured Fire TV devices and enforcing limits after the initial setup session.
The install command creates a user-level LaunchAgent that starts at login and is kept alive. This persistence is disclosed and needed for continuous monitoring, but it means the skill keeps running in the background.
<key>RunAtLoad</key>\n <true/>\n <key>KeepAlive</key>\n <true/>
Install persistence only if continuous enforcement is desired; use `shorts stop` or `shorts uninstall` to disable it.
Local files may reveal which configured devices watched Shorts and for how long.
The skill stores per-device watch history and configuration locally. This is disclosed and necessary for quota tracking, but it is persistent behavioral data.
Database: `~/.clawshorts/clawshorts.db` ... `daily_usage` — daily watch time per device
Treat `~/.clawshorts/` as private user data, avoid sharing logs/databases, and remove the directory manually if you want to delete retained history after uninstall.
If a lower-level script is run directly instead of the documented wrapper, it may attempt ADB connections to an unintended non-private IP.
This fallback/direct daemon validation checks IPv4 format and octet range but does not show the same private-range restriction promised in SKILL.md. The main wrapper does include private-IP checks, so this is an entry-point consistency note rather than clear malicious behavior.
if any(int(o) > 255 for o in ip.split('.')):\n sys.exit(1)Use the documented `clawshorts.sh`/`shorts` commands for setup and connection, and verify device IPs are private home-network addresses.