Skillv0.0.1

ClawScan security

toolguard-daemon-control · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 14, 2026, 6:04 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (managing user-level macOS launchd agents); no unrelated credentials, downloads, or hidden endpoints are present, though it can create persistent user-run services so usual caution about what you run applies.
Guidance: This skill appears to do exactly what it says: create and manage user-level launchd agents. Before using or allowing autonomous invocation, verify the exact command you will install and avoid passing secrets via --env (they are persisted in the plist). Prefer pointing to compiled binaries or wrapper scripts you control (not transient tools like 'go run'). Review created plist files in ~/Library/LaunchAgents and logs in ~/Library/Logs/toolguard/, and uninstall any service you don't recognize. Note: the scripts embed provided values directly into plist XML without escaping — avoid passing untrusted input that could break the plist or introduce unexpected entries.

Review Dimensions

Purpose & Capability: okName/description describe managing macOS launchd user agents; the included scripts implement install, uninstall, status, list, and log viewing by writing plists under ~/Library/LaunchAgents and logs under ~/Library/Logs/toolguard/. All required actions and files are consistent with that purpose.
Instruction Scope: noteScripts only touch user LaunchAgents and a user log directory and call system tools (launchctl, tail, which, mkdir, rm). They allow installing arbitrary executables as services and accept --env KEY=VALUE pairs which are written into the plist. The scripts do not read unrelated system files or external network endpoints. Caution: values are embedded into XML without explicit escaping (EnvironmentVariables and ProgramArguments are inserted directly), and installed services will persist and run arbitrary binaries — so you must trust the command and any environment values you pass.
Install Mechanism: okNo external install or network downloads; this is an instruction-only skill with bundled shell scripts. Nothing is fetched from third-party URLs or registries.
Credentials: noteThe skill declares no required env vars or credentials. However, install.sh accepts user-supplied --env pairs and writes them into the plist (persisted in ~/Library/LaunchAgents). Passing secrets or tokens will store them in a file under your home directory and may expose them to other processes that can read your user files. Logs may also capture sensitive output.
Persistence & Privilege: noteThe tool intentionally creates persistent user-level launchd agents (KeepAlive=true, RunAtLoad=true). The skill itself is not marked always:true, but if invoked (including autonomously by an agent) it can install services that survive reboots. This persistent capability is expected for the stated purpose but increases impact if used without supervision.