ClawHub
Back to skill
v1.1.2

SenseCraft AI Model Hub

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:41 AM.

Analysis

This skill is mostly coherent with its stated purpose, but users should notice that it can install Python packages, download public model files, write local artifacts, and use the webcam for the demo.

GuidanceThis skill appears safe to use for public SenseCraft model discovery and local demos. Before running the demo setup, be aware it installs Python packages into a local virtual environment, downloads model files from SenseCraft, and may use your webcam; keep downloaded models and saved captures in reviewed local folders and avoid using them in production without validation.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
scripts/setup_local_demo_env.sh
python -m pip install numpy opencv-python pillow ai-edge-litert

The local demo setup installs external Python packages without version pins. This is expected for a demo environment, but it means the installed code comes from the current package index state rather than a locked dependency set.

User impactRunning the setup may install newer or changed third-party packages into the skill's virtual environment.
RecommendationRun the setup only when you want the webcam demo, and consider pinning package versions or using a reviewed environment for repeatable or production use.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
scripts/run_local_person_demo.sh
python "$ROOT/scripts/sensecraft_models.py" download --model-id 60080 --output-dir "$ROOT/models" --manifest "$ROOT/models/downloaded.json" --summary

The launcher automatically downloads a public SenseCraft model file if the expected local model is missing. This is disclosed and aligned with the demo, but the artifact is fetched from a remote source at run time.

User impactThe first demo run can place a downloaded model file and manifest on disk before opening the local inference demo.
RecommendationUse the default download only if you trust the SenseCraft model source, and inspect downloaded artifacts before relying on them in production workflows.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/sensecraft_webcam_person_demo.py
cap = cv2.VideoCapture(args.camera)

The webcam demo opens a local camera device for live inference. This is central to the advertised local demo and requires normal OS/user permission, but it is privacy-relevant device access.

User impactIf you run the webcam demo, it will access your camera locally and can display live annotated video.
RecommendationRun the webcam demo only when you intentionally want local camera inference, and confirm your OS camera permissions are set appropriately.
Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
scripts/sensecraft_webcam_person_demo.py
if key == ord('s'):
            captures_dir = Path(__file__).resolve().parent.parent / "captures"
            captures_dir.mkdir(parents=True, exist_ok=True)
            out_path = captures_dir / f"capture-{int(time.time())}.png"
            cv2.imwrite(str(out_path), annotated)

The demo can save annotated camera frames to a local captures directory when the user presses the save key. This is disclosed in the reference notes and is user-triggered, but saved images may contain private visual data.

User impactSaved frames may persist on disk and could include people, rooms, or other private visual information.
RecommendationReview and delete saved captures when they are no longer needed, especially on shared machines.