Back to skill
Skillv1.0.0
ClawScan security
Rdk X5 Gpio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 11:14 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, required binary (python3), and referenced device paths are coherent with its stated purpose of controlling RDK X5 40‑pin GPIO/peripherals; it asks for no unrelated credentials or installs and appears to be purely hardware-control guidance — but it requires elevated privileges (sudo, modprobe) and direct access to device nodes, so run only on a trusted device.
- Guidance
- This is an instruction-only hardware-control skill and appears consistent with its description. Before using it: (1) run it only on the actual RDK X5 hardware or a trusted test device, (2) be aware many commands require sudo/modprobe and direct access to /dev nodes (these are powerful — do not run on sensitive hosts), (3) verify Hobot.GPIO is the expected library on your device and inspect any sample scripts in /app/40pin_samples before sudo execution, (4) pip installing packages (e.g., spidev) will fetch code from PyPI — review if you have strict supply-chain requirements, and (5) double-check wiring and voltage to avoid hardware damage. If you need lower privileges or tighter auditing, consider reviewing or running samples manually rather than allowing autonomous invocation.
Review Dimensions
- Purpose & Capability
- okName/description promise GPIO/PWM/I2C/SPI/UART/CAN control; SKILL.md contains concrete commands and Python snippets using Hobot.GPIO, /dev/* device nodes, srpi-config and hardware tools. Required binary python3 is appropriate and proportional.
- Instruction Scope
- noteInstructions stay within hardware control scope (reading /dev/i2c*, /dev/spidev*, /dev/ttyS*, /app/40pin_samples, /boot/config.txt). They explicitly instruct use of sudo, modprobe, and access to system device files — necessary for peripheral control but high-privilege operations; no instructions to collect or transmit unrelated data.
- Install Mechanism
- okNo install spec (instruction-only skill). The doc suggests runtime pip3 install spidev for SPI usage (normal for hardware libraries). No downloads from arbitrary URLs or archive extraction are present.
- Credentials
- okSkill declares no required environment variables or credentials. The only notable requirement is privileged access to system devices and use of sudo, which is expected for GPIO/peripheral control on the device.
- Persistence & Privilege
- noteSkill is not always-enabled and is user-invocable. It instructs commands that require elevated privileges (sudo, modprobe) and reads/writes device files. Autonomous invocation is permitted by default (platform behavior) — combine that with privileged commands only if you trust the skill and device context.