Bluetooth
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved too broadly, an agent could send commands to speakers, wearables, lights, locks, or other nearby devices.
The skill documents commands that can pair, connect to, and write data to Bluetooth devices. This is central to the skill, but misuse could change device behavior.
pair XX:XX:XX:XX:XX:XX # Pair device connect XX:XX:XX:XX:XX:XX # Connect char-write-cmd 0x0025 0100
Only allow pairing, connection, and write operations for devices you recognize and for actions you explicitly requested.
Running these commands may expose nearby device traffic in capture files and requires elevated system privileges.
The packet-capture workflow requires root privileges and can record Bluetooth traffic. This is a legitimate diagnostic workflow, but it crosses a local privilege boundary.
sudo btmon # Save to file sudo btmon -w capture.btsnoop
Use sudo packet capture only for troubleshooting, save captures in a known location, and avoid sharing them unless necessary.
Installing external packages can introduce normal package-manager supply-chain risk.
The skill references optional third-party tools/packages without pinning versions. These are user-directed setup commands and align with the Bluetooth purpose.
brew install blueutil ... pip install bleak
Install only from trusted package managers, verify package names, and prefer maintained/pinned versions where possible.
Local profile/history files could reveal device MACs, device names, usage patterns, command results, and possibly health or pairing information if someone reads them.
The skill creates persistent local memory about Bluetooth devices and interactions, and may store sensitive identifiers or pairing details.
Store approved devices in `~/bluetooth/profiles/` ... Log every command sent and result received Retain logs for troubleshooting and audit ... Document PIN/passkey in profile (if static)
Review and protect the ~/bluetooth/ folder, avoid storing secrets unless necessary, prune old logs, and verify learned profiles before reusing saved commands.