Skillv1.0.0

ClawScan security

Rdk X5 Network · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 11:13 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only network administration helper whose required tools and commands match its stated purpose; nothing requested appears disproportionate, though there are minor documentation typos and normal operational risks (e.g., enabling SSH/VNC) you should be aware of.
Guidance: This skill is coherent with its stated purpose and low-risk as an instruction-only helper, but review a few things before use: ensure the target device actually provides the referenced tools (nmcli, bluetoothctl, and the config utility — the doc mentions `srpi-config` which may be a typo for raspi-config), and be careful when running sudo commands that enable SSH or VNC (they open remote access — use strong passwords/keys and confirm you want them enabled). Avoid running unfamiliar commands as root without verifying them on your device. If you plan to allow autonomous agent invocation, be aware the agent could enable remote services automatically; if you don't want that, require manual invocation or explicit confirmation.

Review Dimensions

Purpose & Capability: okSkill name/description (WiFi, static IP, Bluetooth, hotspot, SSH/VNC troubleshooting) align with the commands and tools in SKILL.md. It declares nmcli as required and the instructions center on nmcli, ip, bluetoothctl and systemctl — all relevant to network and Bluetooth management.
Instruction Scope: noteInstructions stay within network/Bluetooth admin scope (nmcli, ip, bluetoothctl, systemctl, /etc/resolv.conf). They include sudo commands to modify connections and enable services (SSH/VNC), which is expected for this purpose but has real-world security implications (enabling remote access). The doc references `srpi-config` (typo/uncommon name: typically raspi-config or rpi-config), which may be a documentation mismatch for the target platform.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing will be written to disk by the skill bundle itself. This is the lowest-risk install model.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill does not ask for unrelated secrets or external credentials.
Persistence & Privilege: noteThe skill is not forced-always and does not request persistent privileges from the registry. However, runtime instructions include enabling persistent services (e.g., `systemctl enable ssh`) which permanently change device behavior — if the agent is allowed to invoke the skill autonomously, it could enable remote access without additional prompts. This is expected for a network admin skill but increases operational blast radius and should be consented to by the user.