Back to skill
Skillv1.0.0
ClawScan security
Rdk X5 Ai Detect · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 6:39 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Instructions are coherent with a ROS2-based RDK X5 BPU AI inference skill; the steps and requirements match the declared purpose, but take care with optional pip installs, example credential handling, and exposed web/RTSP streams.
- Guidance
- This skill appears internally consistent for running AI inference on an RDK X5 device. Before installing/using it: (1) confirm you are on the intended RDK X5 hardware with TROS/ROS2 installed; (2) avoid running the provided pip commands without verifying the packages' source (they may fetch code from the network); (3) do not embed credentials in command lines—use protected config files or environment variables and be aware such command lines can leak to process lists or shell history; (4) the web UI (port 8000) and RTSP streams expose video data—ensure network access is restricted and authenticated; (5) verify model .bin files are from trusted sources and correctly converted (hb_mapper); and (6) if you need camera setup, media encoding, or model conversion, use the skill names referenced in the doc (rdk-x5-camera, rdk-x5-media, Horizon toolchain) rather than this skill. If you want a deeper safety check, provide the origin of the hobot-* packages, the TROS setup.bash contents, or the network endpoints used by the device.
Review Dimensions
- Purpose & Capability
- okName/description claim running AI inference on RDK X5 BPU via the TROS framework; SKILL.md only requires ros2 and references ROS launch files, BPU sysfs, and vendor Python inference packages—these are consistent with the stated purpose.
- Instruction Scope
- noteRuntime instructions are limited to sourcing the TROS environment, launching ROS2 nodes for specific AI components, optional pip installs, reading BPU usage from /sys, and viewing a local web UI. Nothing in the instructions asks for unrelated system-wide data, but the examples include an RTSP URL with credentials (exposes secrets on the command line) and a web UI on port 8000 (network exposure).
- Install Mechanism
- noteThis is instruction-only (no install spec). It suggests optional pip installs (hobot-dnn-rdkx5, hobot-vio-rdkx5). Pip pulls from package indexes and may fetch remote code—verify package provenance before installing. No downloads from arbitrary URLs or archive extraction are prescribed.
- Credentials
- okNo environment variables or external credentials are required by the skill. The only credential-like artifact is the RTSP example containing 'admin:password' which is an example only but could encourage insecure practices; otherwise no unexplained secret access is requested.
- Persistence & Privilege
- okalways is false and there is no install that modifies global agent settings or other skills. The skill does not request permanent elevated privileges or persistent presence beyond normal invocation.