ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mirroir

v0.13.0

Control a real iPhone through macOS iPhone Mirroring — screenshot, tap, swipe, type, launch apps, record video, OCR, and run multi-step scenarios. Works with...

0· 662·1 current·1 all-time
byJeanfrancois Arcand@jfarcand
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill claims to control an iPhone via macOS iPhone Mirroring and requires the iphone-mirroir-mcp binary and macOS — this is coherent. Karabiner-Elements and a helper daemon are reasonable for virtual keyboard/control functionality. OS restriction to darwin and listed tools match the purpose.
Instruction Scope
Runtime instructions do not request unrelated files or credentials, but they include a one-line install that executes a remote script: /bin/bash -c "$(curl -fsSL https://mirroir.dev/get-mirroir.sh)". The SKILL.md also instructs enabling DriverKit/Karabiner and granting Screen Recording and Accessibility — expected for this capability but high-privilege and worth explicit review.
Install Mechanism
Install options include Homebrew (jfarcand/tap) and an npm package (iphone-mirroir-mcp), which are reasonable. However the SKILL.md recommends a direct curl | bash installer from mirroir.dev (arbitrary remote script execution). Prefer vetted package installs or inspect the installer before running.
Credentials
No environment variables or external credentials are requested. Requests for system permissions (Accessibility, Screen Recording, DriverKit extension) are proportional to a tool that simulates input and captures the screen, but they carry privacy/security implications (e.g., potential to capture keystrokes and screen contents).
Persistence & Privilege
The skill installs a helper daemon / MCP server and Karabiner components which run with system-level capabilities. It does not set always: true and does not request other skills' configs, but installing driver-level components and a persistent MCP helper increases blast radius and should be consented to consciously.
Assessment
Before installing: 1) Inspect the installer: do NOT run curl | bash without reviewing https://mirroir.dev/get-mirroir.sh — prefer Homebrew (brew tap jfarcand/tap && brew install iphone-mirroir-mcp) or npx if you trust the npm package. 2) Verify sources: check the jfarcand/tap Homebrew formula and the iphone-mirroir-mcp npm package or upstream repo to confirm maintainers and code. 3) Understand permissions: Karabiner/DriverKit, Screen Recording, and Accessibility give the tool the ability to capture screen and synthesize input (keystroke capture / injection risk); only grant them on a trusted machine and revoke if you stop using the tool. 4) Limit exposure: run on a dedicated/test mac if possible, review MCP/server command config, and consider whether you want the agent to call this skill autonomously. 5) If unsure, request the upstream source code or run installation in an isolated environment (VM) and audit installed components before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dyszef7hyrqsndjwqgcbx4n81dkpc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📱 Clawdis
OSmacOS
Binsiphone-mirroir-mcp

Install

Install mirroir via Homebrew
Bins: iphone-mirroir-mcp
brew install jfarcand/tap/iphone-mirroir-mcp
Install mirroir (npx)
Bins: iphone-mirroir-mcp
npm i -g iphone-mirroir-mcp

Comments