Skillv1.1.0

ClawScan security

macOS Notification Reader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 5, 2026, 10:37 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, permissions request, and runtime instructions are consistent with its stated purpose of reading the local macOS notification database and exporting summaries; it does not request unrelated credentials or contact external endpoints.
Guidance: This skill appears internally consistent, but review and test before automating. Key points to consider: - Granting Full Disk Access to a Python binary gives that binary broad read access to your files; only grant to a binary you trust. Consider running the scripts manually first and inspect the output and code. - The scripts copy the notification DB to /tmp and then delete it; check that no sensitive notification content ends up in the output directory (~/.openclaw/workspace/memory/) if you keep those logs. - Cron or other background schedulers may not inherit macOS TCC permissions the same way as an interactive shell; verify that scheduled runs can actually access the DB or use a wrapped/approved binary. - The permission-setup guide includes an advanced dscl example that may be unreliable and could be risky—prefer the GUI Full Disk Access flow. - If you plan to run this regularly, consider creating a dedicated, minimal Python binary or virtualenv for this purpose and add only that binary to Full Disk Access, and periodically audit logs and outputs. If you do not trust the source, do not grant Full Disk Access or schedule it; instead run the scripts in a controlled environment and inspect outputs first.

Review Dimensions

Purpose & Capability: okName and description match the code and instructions. The scripts only access the macOS notification DB, parse bplist entries, and write markdown outputs; requiring Full Disk Access to read the protected notification DB is appropriate for this purpose.
Instruction Scope: noteInstructions focus on granting Full Disk Access, running the provided scripts, and scheduling cron jobs. This stays within the stated purpose. Note: granting Full Disk Access to a Python binary gives that binary broad file access on the machine — the instructions correctly require that but users should be aware of this scope. Also, scheduled/background execution (cron/launchd) can behave differently with macOS TCC permissions; the docs mention restarting services but users may need to test automation carefully.
Install Mechanism: okNo external install hooks or downloads; this is instruction + shipped scripts. No network fetches or archive extraction are performed by an installer. The code is local and readable before execution.
Credentials: okThe skill does not request environment variables, credentials, or config paths unrelated to its purpose. The only privileged requirement (Full Disk Access) is directly tied to reading the notification DB. The reference suggesting a dscl-based terminal method is marked 'may not work' and is not necessary; avoid running unclear dscl commands without understanding them.
Persistence & Privilege: okThe skill does not request always:true or other elevated platform privileges. It writes outputs into a user-local workspace (~/.openclaw) and temporary files under /tmp, and cleans temp files; these behaviors are in-scope for an archiver/summary tool.