Ulanzi TC001
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a scoped local controller for a Ulanzi pixel clock, with expected cautions around changing device settings and any optional YouTube API key.
Before installing, confirm that config.json contains your clock's IP address and only provide optional API keys you are comfortable storing on the device. The artifacts otherwise look coherent for local TC001 control.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the configured IP is wrong or the user gives an unintended command, the agent could change settings on the wrong clock or alter brightness, gadgets, timezone, or app configuration.
The helper sends HTTP POST requests that save settings on the configured TC001 device. This is expected for the skill's purpose, but it is still mutation authority over a local device.
def save_sys_settings(data: dict): ... return http_post("/", payload)
def save_app_settings(data: dict): ... return http_post("/app_switch", payload)Verify config.json points to your TC001 before using write commands, and use status/list commands first when unsure.
A YouTube API key entered through this skill may be stored on the device and sent over the device's local HTTP configuration flow.
The skill can configure a YouTube API key for the clock's YouTube gadget and explicitly warns that the key is private. This is purpose-aligned and optional, with no evidence of hardcoding, logging, or unrelated transmission.
- youtube_uid / youtube_apikey / youtube_animation / youtube_color / youtube_format ... - Keep YouTube API key private (if used).
Only provide a key intended for this gadget, keep it scoped as narrowly as possible, and rotate it if you think it was exposed.
You have less external provenance information for deciding whether to trust the included helper script.
The package has limited provenance metadata. However, no remote install step, package dependency, or hidden helper source is evidenced in the provided artifacts.
Source: unknown Homepage: none Install specifications: No install spec — this is an instruction-only skill.
Review the included script and configuration before use, especially the target IP addresses, but no suspicious supply-chain behavior is shown.