CitrineOS Assistant
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for installing and managing CitrineOS, but it can guide system changes, background Docker services, and EV charging API actions that users should confirm.
This skill appears safe to use for its stated purpose, but treat it like an infrastructure administration helper: review commands before running them, confirm any charging-station API action, restrict cloud firewall exposure, and prefer pinned CitrineOS releases for production.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken target, station ID, or server URL could start or reset the wrong charging station.
The skill can guide HTTP calls that mutate EV charging station behavior. This matches the stated management purpose, but the actions can affect real infrastructure.
"Start transaction" → "POST Message API `RequestStartTransaction`"; "Reset station" → "POST Message API `Reset`"
Before any POST or reset/start action, confirm the server, station ID, environment, and intended effect with the user.
You will run code and dependencies from the current upstream repository state.
The installation path relies on an external repository and npm build/install scripts. This is expected for installing CitrineOS, but the artifact does not pin a release or commit.
`git clone https://github.com/citrineos/citrineos-core` ... `npm run install-all && npm run build`
For production installs, prefer a reviewed CitrineOS release/tag and inspect upstream installation instructions before running build commands.
Docker installation and group membership can grant broad control over local containers and, effectively, significant host access.
The skill may guide privileged package installation and adding the user to the Docker group. This is common for Docker setup, but it changes local system privileges.
`sudo apt-get update && sudo apt-get install -y docker.io` ... `sudo usermod -aG docker $USER`
Only run these commands on machines you administer, and understand the privilege implications of Docker group membership.
CitrineOS, database, broker, and related services may keep running until stopped.
The `-d` option starts CitrineOS services in the background. This is disclosed and normal for running a server, but it persists after the immediate command finishes.
`cd Server && docker-compose -f docker-compose.yml up -d`
Use the documented `docker-compose down` stop command when the services are no longer needed.