Back to skill
Skillv0.1.0
ClawScan security
Scrcpy Claw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 9:24 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are coherent with an ADB/scrcpy-based Android control tool — it requests no unrelated credentials and performs device operations expected for this purpose.
- Guidance
- This skill legitimately needs ADB/scrcpy access and will perform powerful actions on any connected Android device (push/start server, take screenshots, read UI hierarchy, set clipboard, install APKs). Only install/use it if you trust the source and will run it on devices you control. Before using: (1) review the scripts (they are included) to confirm no unwanted network exfiltration; (2) ensure adb is only connected to intended devices; (3) provide a trusted scrcpy-server.jar if you plan to use scrcpy features; and (4) if you dislike autonomous agent invocation, keep the skill user-invocable only or disable autonomous invocation in your agent settings.
Review Dimensions
- Purpose & Capability
- okName/description (Android control via ADB/scrcpy) matches the included Python controllers and README. The scripts implement ADB commands, UI dump parsing, scrcpy server push/connection, and AI-assisted decision logic — all relevant to remote device control and automation.
- Instruction Scope
- noteSKILL.md and the scripts instruct the agent to run ADB and scrcpy-related commands, pull UI dumps, take screenshots, push and start a scrcpy server, and (optionally) install APKs. These actions access sensitive device data (screenshots, UI hierarchy, clipboard) but are expected for a device-control skill. There is no instruction to read unrelated host files or to transmit data to external endpoints.
- Install Mechanism
- okThis is instruction-only with bundled scripts (no automated installer or remote downloads). The code looks for an existing scrcpy-server JAR in common locations and will warn if not found rather than downloading arbitrary code. No install URLs, package registry pulls, or archive extraction were observed.
- Credentials
- okThe skill requests no environment credentials or config paths. It requires ADB on PATH (documented) which is appropriate. The scripts operate on connected Android devices and local files (screenshots, UI dumps), which is proportionate to the stated functionality.
- Persistence & Privilege
- okalways:false and no attempt to modify other skills or system-wide agent config. The skill performs subprocesses, port-forwarding, and starts a server on the device — normal for scrcpy integration. Note: the platform default allows autonomous invocation; combined with device-control capabilities this increases the importance of trusting the skill before enabling autonomous runs.