Skillv1.0.0

ClawScan security

Mac Control · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 15, 2026, 5:30 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (Mac UI automation) matches the included scripts, but the package metadata omits required binaries and contains hard-coded user paths and small inconsistencies — worth caution before installing or letting an agent run it.
Guidance: This skill appears to be a straightforward Mac UI automation toolkit, but take a few precautions before using it or letting an agent run it: - Verify required binaries are present and trustworthy: cliclick (at /opt/homebrew/bin/cliclick), ImageMagick (magick), sips, osascript, screencapture. The metadata does not declare these dependencies — install/validate them yourself. - The scripts assume specific paths (e.g., /Users/eason/clawd/ and /opt/homebrew/bin). Adjust paths to match your machine and inspect scripts before running. - Review the bundled shell scripts line-by-line (they are plain text) and test them in a safe environment. They move the mouse, send keystrokes, and capture screenshots — these actions can interact with sensitive UIs (passwords, 2FA popups, private documents). - Be cautious about giving an autonomous agent permission to execute these scripts: although the scripts do not perform network I/O, screenshots and keystrokes are sensitive surface area that could be exfiltrated if the agent is also allowed to send data externally. If you want to proceed: correct the binary paths, run the scripts manually once to confirm behavior, and restrict any agent-level network or file-transmission permissions until you trust the skill.

Review Dimensions

Purpose & Capability: concernThe skill claims to automate Mac UI which is consistent with the provided scripts. However the registry metadata lists no required binaries or config, while the SKILL.md and scripts rely on specific tools (/opt/homebrew/bin/cliclick, magick/ImageMagick, sips, osascript, screencapture, system_profiler) and write a calibration file to ~/.clawdbot. The SKILL.md also references absolute user paths (/Users/eason/clawd/...) and helper scripts (attach-browser-relay.sh) that are not present in the package. These mismatches are unexpected and should be resolved before trusting the skill.
Instruction Scope: noteInstructions and scripts explicitly move the mouse, send keystrokes, take screenshots, inspect images, and query window bounds via AppleScript — all coherent with UI automation. They create and read files in /tmp and the user's home (~/.clawdbot) and assume the agent or user will open/read screenshot files to locate targets. This is in-scope but is privacy-sensitive (screenshots may contain sensitive data). There are no network calls or credential exfiltration in the scripts, but an agent with the ability to read and transmit files could leak screenshots, so run with that risk in mind.
Install Mechanism: okNo install spec (instruction-only with bundled scripts) — lowest install risk (no external downloads). The package contains shell scripts that will be available to run, but nothing in the skill performs network downloads or executes code from external URLs.
Credentials: okThe skill does not request any environment variables or credentials, which is appropriate. It does save calibration data under ~/.clawdbot and expects system binaries to exist; double-check those binaries/paths before use.
Persistence & Privilege: okalways is false and the skill does not request system-wide configuration changes. It writes a local calibration file (~/.clawdbot/mac-control-calibration.json) which is normal for a tool of this type. It does not modify other skills or global agent settings.