Back to skill
Skillv1.1.0
ClawScan security
Sparkle VPN · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 28, 2026, 7:07 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose (controlling a local Sparkle/Mihomo VPN), with no evidence of unrelated credential requests or external code downloads — but it will modify system proxy settings and kill/start local processes, so install only if you trust it to manage your local VPN.
- Guidance
- This skill appears to do exactly what it says: control a local Sparkle/Mihomo VPN. Before installing, verify: 1) you have the Mihomo/Sparkle binaries and the referenced profile (~/.config/sparkle/profiles/19c48c94cbb.yaml) or adjust scripts accordingly; 2) you are comfortable with scripts that start/kill processes and change GNOME proxy settings and write ~/.config/sparkle/proxy.env; 3) required tools (curl, python3, gsettings, pgrep/pkill) are present — the skill does not declare these dependencies; 4) the diagnostic call to https://ipinfo.io/ip will reveal your public IP to that service (harmless for most users, but note if you want no external calls). If unsure, inspect/modify the scripts (they are plain shell) or run them in an isolated/test environment first.
Review Dimensions
- Purpose & Capability
- okThe name/description (control Sparkle VPN via Mihomo core) align with the included scripts and index.ts handlers. Scripts operate on ~/.config/sparkle, call the local Mihomo binary (/opt/sparkle/resources/sidecar/mihomo) and the local API at 127.0.0.1:9090 — all consistent with the declared purpose.
- Instruction Scope
- okRuntime instructions and scripts stay within the VPN management domain: starting/stopping mihomo, switching nodes via the local API, and enabling/disabling system proxy via gsettings and a proxy.env file. The scripts also call ipinfo.io to display public IP (an external endpoint used only for diagnostics). They do not read or transmit unrelated files or secrets.
- Install Mechanism
- okThere is no external installer or remote download; files are included in the skill bundle and index.ts runs local shell scripts. No URLs or archive extraction are used, lowering install risk.
- Credentials
- noteThe skill declares no required env vars or credentials (appropriate). However scripts assume availability of tools (curl, python3, gsettings, pgrep/pkill) and a local Mihomo binary at /opt/sparkle/... and a profile at ~/.config/sparkle/profiles/19c48c94cbb.yaml; these are reasonable for the task but are not declared. The only external network call is to ipinfo.io for IP checks (diagnostic only).
- Persistence & Privilege
- notealways:false (normal). The skill can start/stop processes and change system proxy settings (gsettings and writing ~/.config/sparkle/proxy.env) and will therefore affect system state and network behavior — this is expected for a VPN control tool but is a privileged action the user should consent to.