Back to skill
Skillv0.2.6
ClawScan security
ClawCast · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 5:01 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent for bootstrapping OBS automation: required binaries and scripts match the described purpose, but it includes an explicit cross-component DB write step (guarded by an acknowledgement flag) that you should review before running.
- Guidance
- This skill appears to do what it says: bootstrap OBS scenes and serve local overlays. Before installing/running: - Review and back up any agentic-obs DB you might pass to obs_target_switch.sh. That script will update obs_host/obs_port in the specified sqlite DB if you provide the DB path and the --allow-cross-component-write flag. - Only run obs_target_switch.sh when you intentionally want to change the agentic-obs target; if unsure, skip that step. Verify the DB path points to the intended database (do not pass arbitrary files). - start_overlay_server.sh uses python3 -m http.server to serve the skill folder on the chosen port (default 8787). Confirm the machine/network are trusted and do not expose that port to the public internet. - Ensure mcporter is properly configured and that you trust the configured 'obs' MCP server before running any scripts that call it. - If you have low tolerance for configuration changes, run the scripts in a non-production/sandbox environment first and inspect scripts (they are plain shell) to confirm behavior.
Review Dimensions
- Purpose & Capability
- okName/description (OBS automation via mcporter/agentic-obs) align with required binaries (mcporter, python3, sqlite3, ss) and the included scripts. The scripts perform expected tasks: start a local overlay HTTP server, create browser sources and scenes via mcporter, run smoke tests, and optionally write an agentic-obs DB entry.
- Instruction Scope
- noteMost runtime instructions are narrowly scoped to OBS automation (mcporter calls, local HTTP server serving the skill folder, scene creation). One instruction/script (scripts/obs_target_switch.sh) will update another component's sqlite DB (agentic-obs config) when given a DB path and the explicit --allow-cross-component-write flag; this is intentional and documented, but it modifies other component configuration and therefore warrants explicit operator attention before use.
- Install Mechanism
- okThis is an instruction-only skill (no remote download/install). All code is included in the repo as scripts and static overlays; there is no network install step or external archive extraction. The only runtime network behavior is starting a local python http.server to serve the skill directory.
- Credentials
- noteThe skill requests no credentials or env vars by default. Optional envs (OVERLAY_PORT, OVERLAY_BASE_PATH, OBS_AUDIO_INPUTS, MIC_MUL, DESKTOP_MUL) are reasonable for the described tasks. However, the skill can be used to update an agentic-obs sqlite DB when the operator supplies a DB path; the registry metadata lists no required config paths even though the cross-component write is a supported action — this should be considered before granting filesystem access or passing an agentic-obs DB path.
- Persistence & Privilege
- okThe skill does not request 'always: true' and is user-invocable. It writes only to its own skill directory (served by the HTTP server) and only writes to another component's DB when explicitly invoked with a DB path and acknowledgement flag. It does not modify other skills' configuration by default.