Back to skill
Skillv0.1.1
ClawScan security
WiiM · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:26 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are consistent with a CLI that discovers and controls WiiM/LinkPlay speakers on the local network; nothing requested or described is disproportionate to that purpose.
- Guidance
- This skill appears coherent for controlling WiiM speakers. Before installing or running the referenced wiim-cli: verify the wiim-cli package/source (PyPI/GitHub or vendor site) so you know what code will run on your machine; be aware discovery uses SSDP/UPnP (local network traffic) and 'play-url' will make the speaker fetch remote audio—avoid playing untrusted URLs. If you want extra caution, inspect the wiim-cli source code or run it in a sandboxed environment. If you rely on corporate network policies, check that SSDP/UPnP is allowed.
Review Dimensions
- Purpose & Capability
- okName/description match the SKILL.md: it documents a wiim-cli tool to discover/control WiiM/LinkPlay speakers (play/pause/volume/discover/play-url). No unrelated env vars, binaries, or config paths are requested.
- Instruction Scope
- okRuntime instructions are limited to installing/running a wiim-cli and using SSDP/UPnP discovery or specifying a host. The steps stay within the stated purpose. Note: play-url causes the device to fetch remote audio URLs (expected for this capability).
- Install Mechanism
- noteThis is an instruction-only skill (no install spec in the registry). SKILL.md tells users to install via 'uv tool install wiim-cli' or run with 'uvx --from wiim-cli'; that implies fetching third-party code at runtime—normal for CLI usage but verify the package source before installing.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The only required access is local network/SSDP (appropriate for device discovery/control).
- Persistence & Privilege
- okalways is false and there is no install-time persistence declared. The skill does not request elevated or persistent privileges.