Back to skill
Skillv1.0.2
ClawScan security
Lametric Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 6:24 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is an instruction-only wrapper that expects the lametric CLI and a LaMetric API key to control local LaMetric devices, and its requirements match its described purpose.
- Guidance
- This skill appears to be what it claims: a wrapper around the lametric CLI that uses a LaMetric API key and local-network discovery to control devices. Before installing, verify the Homebrew tap (dedene/tap) and the GitHub repository (github.com/dedene/lametric-cli) are legitimate and maintained; prefer official release pages or signed packages when available. Treat your LAMETRIC_API_KEY like any device credential—only provide it to code you trust and consider using environment variables or your OS credential store rather than embedding keys in files. Note the SKILL.md contains a truncated install line and a version string mismatch (SKILL.md metadata shows 1.1.0 while registry metadata lists 1.0.2); these are minor editorial inconsistencies but worth checking on the project page before trusting binaries.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (lametric), primaryEnv (LAMETRIC_API_KEY), and the install options (Homebrew tap and Go package from GitHub) align with a CLI wrapper for LaMetric devices. Asking for an API key is expected.
- Instruction Scope
- okSKILL.md instructs only running the lametric CLI, using device discovery on the local network, streaming images, and setting keys/config in ~/.config/lametric-cli/config.yaml — all within the stated domain. It does not ask for unrelated files or additional credentials.
- Install Mechanism
- okInstallers are Homebrew (dedene/tap) and go install from github.com/dedene/lametric-cli, which are typical for CLI tools. These are not high-risk arbitrary downloads, but users should verify trust in the dedene/tap and the GitHub repo before installing.
- Credentials
- okOnly the LaMetric API key (LAMETRIC_API_KEY) is declared as primary credential; the skill optionally references LAMETRIC_DEVICE for device IP. No unrelated secrets or numerous credentials are requested.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent system-wide privileges. It does not modify other skills' config or require always-on presence.