Skillv1.0.0

ClawScan security

Rdk X5 App · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 6:42 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, requirements, and actions are coherent with its stated purpose of running pre-installed RDK X5 /app demos; it does not ask for unrelated credentials or install arbitrary remote code, but it does instruct running privileged and networked demos on the device.
Guidance: This skill is internally consistent and appears to be what it says: documentation to run pre-installed demos on an RDK X5 device. Before running anything: (1) inspect /app to confirm files come from a trusted source, (2) be aware many commands require sudo or apt and will modify the device (installing packages, starting nginx), (3) demos access hardware (GPIO, camera) and network streams (RTSP), so run them on the intended device and network only, (4) replace example credentials (the docs show admin:password) with secure real credentials or avoid exposing credentials in URLs, and (5) if you want to avoid unintended system changes, run scripts in a controlled environment or review individual commands rather than running broad make/sudo operations blindly.

Purpose & Capability: okName/description match the instructions: the SKILL.md only describes running demos under /app and lists python3 and build/run steps. Requesting python3 and referring to system Python is appropriate for device demos.
Instruction Scope: noteInstructions tell the operator to cd into /app, run Python demos, compile and run C++ demos, start nginx, use sudo for GPIO examples, and run rtsp streams. All are expected for hardware demos, but they involve privileged operations (sudo, apt install) and network I/O (RTSP, web UI). The SKILL.md does not attempt to read unrelated system data or offload data to an external service beyond normal network streams.
Install Mechanism: okNo install spec and no external downloads—this is an instruction-only skill that relies on existing system binaries, which minimizes install-time risk.
Credentials: okThe skill declares no environment variables, credentials, or config paths. Example RTSP URL includes sample credentials (admin:password) in documentation only; there are no required secrets declared. This is proportional to the described demo role.
Persistence & Privilege: notealways is false and the skill does not request persistent system changes. However, the runtime instructions call for privileged actions (sudo, apt install) and starting system services (nginx), which will change system state when followed; exercise usual caution before running those commands.