Back to skill
Skillv1.0.4
ClawScan security
Clawhub Upload · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 9:34 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code implements a small set of local macOS checks (camera, mic, firewall, VPN, ports, Wi‑Fi) and runs shell commands, which matches the stated purpose in part, but the documentation and metadata over‑claim features and list permissions (fs.read, network) that the shipped code does not use — an incoherence worth warning about.
- Guidance
- This package runs local macOS commands (lsof, scutil, system_profiler, socketfilterfw) to report camera/microphone, firewall, VPN, open ports and Wi‑Fi security — that behavior is visible in the included source and does not send data out. However: the documentation and metadata overstate capabilities (many features listed in README are not implemented) and declare fs.read and network permissions that the code doesn't use. Before installing: 1) verify the npm package and GitHub repo are authentic (owner, recent commits, stars, issues), 2) inspect the published package contents (or install in a sandbox/VM) to confirm no network calls or file reads are added, 3) be cautious granting broad permissions (network/fs.read) because future updates could use them to exfiltrate data, and 4) treat the 'block-app' feature as a marketing stub (it does not actually remove apps in the shipped code). If you want this skill, prefer installing from the verified npm package or source and run it in a controlled environment first.
Review Dimensions
- Purpose & Capability
- concernThe README/SKILL.md claim “52+ tasks”, many advanced detectors, and remote/Pro features, but the actual code implements only seven commands (camera-status, microphone-status, firewall-status, vpn-checker, open-ports, wifi-scanner, block-app). The marketing/upgrade messaging is disproportionate to the implemented capability (upsell behavior). Declared permissions (fs.read, network) are broader than what the code uses (the code only executes local commands).
- Instruction Scope
- concernSKILL.md explicitly requests exec, fs.read, and network permissions and instructs npm installation; the runtime code relies on exec to run lsof, scutil, system_profiler and socketfilterfw (local commands) and does not read files or make network calls. The skill text also promises 'All monitoring stays on your Mac' and pro features that would send alerts externally — but those are not implemented in the shipped code. This mismatch is scope creep/marketing inconsistency.
- Install Mechanism
- noteRegistry metadata lists no install spec even though package.json and SKILL.md instruct installing via npm (npmjs package and GitHub repo URLs present). There is no remote download in the registry spec, and the included code is local; still, the SKILL.md recommends npm install which means users should verify the npm package and repository authenticity before installing.
- Credentials
- concernThe skill requests no environment variables, which is good, but its declared OpenClaw permissions include fs.read and network even though the code does not use them. Network permission would increase blast radius if exercised in future updates (ability to exfiltrate). The requested exec permission is appropriate for the implemented local checks.
- Persistence & Privilege
- okalways is false and the skill does not request persistent background monitoring or modify other skills. The skill's block-app command is a stub that returns an upsell message rather than performing destructive actions.