ClawHub

Droidrun Agent

v0.1.0

DroidRun Portal HTTP/WebSocket/MCP client. Controls Android devices via HTTP, WebSocket, or MCP server, supporting tap, swipe, screenshot, text input, UI sta...

0· 121·0 current·0 all-time
by涵曦@hanxi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description match the SKILL.md content: async HTTP/WebSocket/MCP clients for controlling Android devices. Example calls, screenshot and install-from-URL features align with the described purpose. The SKILL.md does not request unrelated services or credentials.
Instruction Scope
Instructions show how to use PortalHTTPClient/PortalWSClient, call device actions (tap, swipe, screenshot, install APK from URL), and pass tokens at runtime. These operations are within expected scope. Note: the examples imply network access to device IPs and installing APKs from URLs — expected for this tool but high-privilege on the target device, so only connect to trusted devices and URLs.
Install Mechanism
There is no install spec in the registry (instruction-only skill), so nothing will be written to disk by an automated installer. The README mentions a local command 'uv sync' for setup, which is not part of the registry install; this is unusual but not itself malicious. No external download URLs or archive extracts are present in the registry metadata.
Credentials
The skill declares no required environment variables or config paths. The SKILL.md shows token parameters passed directly to client constructors (not implicitly requiring secrets in environment variables), which is proportionate to a client library.
Persistence & Privilege
Registry flags are default (always:false, user-invocable:true) and the skill does not request persistent or elevated platform privileges. It does not claim to modify other skills or system-wide settings.
Assessment
This skill appears to be an instruction-only client for controlling DroidRun Portal devices and is internally consistent. Before installing/using it you should: 1) Only connect to devices you trust — the library can control apps, press keys, take screenshots, and install APKs from URLs. 2) Provide authentication tokens at runtime rather than placing secrets in shared environments. 3) Verify the upstream source or repository for the droidrun-agent code (the registry metadata lists no homepage or source), especially if you plan to run any local setup commands like 'uv sync'. 4) Avoid passing device or token information to untrusted third parties. If you want a higher assurance, request the actual source code or a published package so you (or your security team) can review it before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk9799s4zpgpf60e1bcatgnxj2s832k5h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments