ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TouchBridge — Phone Biometric Auth for Mac

v1.0.0

Authenticate sudo and macOS system prompts using your phone's biometric (Face ID/fingerprint) instead of typing passwords. Perfect for Mac Mini, Mac Studio,...

0· 65·0 current·0 all-time
by@hmakt99
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, required binaries (touchbridged, touchbridge-test), and the provided GitHub .pkg URL align with the stated goal of enabling phone biometric auth for macOS prompts.
Instruction Scope
SKILL.md instructs running the daemon, installing a PAM module, checking daemon sockets, using a simulator (auto-approve), and a web mode that displays a URL for phone approval. These are within the feature scope, but they explicitly direct actions that affect system authentication and can broaden the attack surface (simulator auto-approves; web mode may expose an approval URL).
Install Mechanism
The install step is a downloadable .pkg hosted on GitHub Releases — a common distribution channel but still a remote installer executed on the machine. No checksum/signature is provided in the instructions; building from source is offered as an alternative. Download-and-run installers carry execution risk and should be verified before use.
Credentials
The skill requests no environment variables or unrelated credentials; the requested access (binaries and potential sudo use during install) is proportionate to the stated functionality.
!
Persistence & Privilege
The tool modifies system authentication (PAM), installs a daemon, and requires elevated privileges for installation/uninstallation — these are powerful capabilities. The skill is not 'always:true', but the required privileged changes mean an installer or scripts executed via the agent would have a high blast radius and must be trusted and audited.
What to consider before installing
This skill appears to do what it says, but it modifies macOS authentication (PAM) and installs a privileged daemon — high-risk actions. Before installing: (1) inspect the installer and install scripts (scripts/install.sh) or build from source yourself; (2) verify the .pkg via checksum or signed release from the upstream repo; (3) do not run the simulator (--simulator) on a production machine (it auto-approves sudo); (4) be cautious with --web mode (exposed URLs can be clicked by unintended parties if network-accessible); (5) back up /etc/pam.d/ and test in a VM or disposable machine first; (6) prefer installing only after verifying the GitHub project, maintainer reputation, and that the installer creates expected backups and restores on uninstall. If you are not comfortable auditing install scripts or running privileged installers, avoid installing this skill.

Like a lobster shell, security has layers — review code before you run it.

biometricvk977p4yc0smq20n2nc2gz1bsxd83syp1latestvk977p4yc0smq20n2nc2gz1bsxd83syp1macosvk977p4yc0smq20n2nc2gz1bsxd83syp1pamvk977p4yc0smq20n2nc2gz1bsxd83syp1securityvk977p4yc0smq20n2nc2gz1bsxd83syp1sudovk977p4yc0smq20n2nc2gz1bsxd83syp1touch-idvk977p4yc0smq20n2nc2gz1bsxd83syp1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis
Binstouchbridged, touchbridge-test

Comments