Skillv1.0.0

ClawScan security

Mac AI Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 7, 2026, 7:27 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and scripts do what the README/SKILL.md describe – they modify macOS settings (UI/services), adjust Docker guidance/cleanup, and enable SSH – and there are no hidden network calls, unrelated credentials, or surprising install steps.
Guidance: This plugin appears coherent with its stated purpose, but it makes system-level changes. Before running: (1) Review the bundled scripts yourself (they are included) to confirm you accept each change. (2) Understand admin requirement: several steps use sudo (mdutil, purge, systemsetup) and will either fail without a password or require you to grant privileges. (3) Enabling SSH opens remote access—only enable it if you trust the network and plan to secure accounts (strong passwords / SSH keys, firewall). (4) Test incrementally: run system_report.sh, then individual optimizations (optimize_memory.sh, reduce_ui.sh, docker_optimize.sh) rather than full_optimize.sh on first use. (5) Keep the revert_all.sh command handy to restore defaults. If you are uncertain about granting an agent the ability to run these tools autonomously, require explicit user confirmation before executing any optimization (especially enable_ssh).

Purpose & Capability: okThe plugin's name/description match the implemented behavior: shell scripts disable background services, tweak UI defaults, advise/configure Docker limits, and enable SSH. All requested actions are coherent with optimizing a Mac for AI workloads.
Instruction Scope: noteSKILL.md and the scripts instruct the agent to run local shell scripts that change system settings and stop processes. These actions are within the declared purpose, but they are system-level changes (Spotlight, Siri, iCloud daemons, purge, defaults writes, systemsetup for SSH). The scripts only read and display local network addresses and system info; they do not transmit data externally.
Install Mechanism: okThere is no remote install/download. This is an instruction-only skill with bundled local shell scripts and a small JS wrapper that executes them. No external URLs or package installs are used.
Credentials: okThe skill requires no environment variables, credentials, or config paths. The system modifications it performs are justified by the stated goals (reducing background services, enabling SSH, Docker cleanup).
Persistence & Privilege: noteThe skill does not request always:true and does not change other skills. However, many operations require administrative privileges (sudo) and will modify system settings (including enabling Remote Login/SSH). If invoked, these changes persist until reverted; the skill includes a revert_all script to undo changes.