Back to skill
Skillv1.6.1
ClawScan security
Adb Claw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 7:23 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, install steps, and runtime instructions are coherent with an Android device-control tool; nothing requested appears unrelated to its stated purpose, though it grants powerful device access (screen, UI, audio) that has expected privacy implications.
- Guidance
- This skill legitimately controls Android devices and can read screenshots, on-screen text (accessibility), and system audio — which may expose private content. Only install if you trust the GitHub project and will use it on devices you own or have permission to control. Recommendations before installing: - Verify the adb-claw release binary on the GitHub repo (pin a specific release and check checksums/signatures rather than using `latest`). - Ensure ADB debugging is enabled only when needed and revoke debugging when finished. - Be aware that 'monitor' and 'audio capture' features will capture sensitive data; do not connect unknown devices. - If you want to limit risk, require explicit user invocation (disable automatic triggers) or review the binary locally before allowing the agent to auto-download/run it.
Review Dimensions
- Purpose & Capability
- okName/description match the requested binaries and behavior: adb-claw (custom CLI) plus adb are exactly what an Android control/automation tool needs. The install entries (adb binary via brew, adb-claw via GitHub releases) are consistent with the stated purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to capture screenshots, indexed UI trees, accessibility text, and device audio — all coherent with device-control. There is no instruction to read unrelated host files or env vars. Note: monitor and audio-capture features are powerful (they collect UI text and system audio), so user should expect sensitive data to be accessible when the skill runs.
- Install Mechanism
- okInstall uses standard brew formula for adb (android-platform-tools) and direct downloads from GitHub Releases for the adb-claw binary. GitHub releases is a common, traceable distribution; downloads are single binaries (not obscure shorteners or personal IPs).
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The lack of extra secrets is proportionate to its stated functionality.
- Persistence & Privilege
- okalways:false and no special system/config modifications requested. The skill can be invoked autonomously when triggers match (default platform behavior), which is expected for an automation skill; it does not request elevated host privileges.