Skillv1.2.0

ClawScan security

Wake-on-LAN · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 12:18 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and resource requests are consistent with a Wake-on-LAN utility: it only sends local magic packets, stores aliases in a local JSON file, and asks you to install a standard Python package; nothing appears disproportionate or off-purpose.
Guidance: This skill appears to do exactly what it says: send Wake-on-LAN packets and manage a small local alias database. Before installing, note: (1) you will need to install the wakeonlan Python package yourself (SKILL.md instructs this); (2) the skill will create and write references/devices.json inside the skill directory to store aliases — inspect that file if you care about stored MAC/IP entries; (3) it invokes the wakeonlan CLI and also opens raw UDP sockets (to broadcast and target IPs) which is necessary for WOL but will send network traffic on your LAN — ensure that is acceptable in your environment; (4) WOL may not work over Wi‑Fi or some routers and Termux/Android may block broadcasts; (5) if you want extra assurance, review scripts/wol.py locally (it is short and readable) before use. There are no apparent requests for credentials or unexpected network endpoints.

Purpose & Capability: okName/description match the implementation: the script sends WOL magic packets (via the wakeonlan CLI and raw UDP sockets) and manages saved device aliases. No unrelated credentials, binaries, or system paths are requested.
Instruction Scope: okSKILL.md tells the agent to install the wakeonlan Python package and to run the included script. The script only reads/writes references/devices.json inside the skill directory and sends UDP packets to broadcast or specified IPs — all within the expected scope for WOL functionality. It does call subprocess.run to invoke the wakeonlan CLI (expected) and opens raw UDP sockets (expected fallback for some platforms).
Install Mechanism: noteThis is an instruction-only skill with no automated install spec. SKILL.md instructs users to run `pip install wakeonlan`; the absence of an install block is not dangerous but means the package must be installed manually by the user. No remote archive downloads or unusual install steps are present.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths outside its own references/devices.json. The local JSON file used to store aliases is proportionate to the described purpose.
Persistence & Privilege: okalways is false and the skill does not modify other skills or global agent settings. It stores its own device list under the skill directory (references/devices.json), which is normal for persistent state.