ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

iCloud Find My

v1.0.0

Query Find My locations and battery status for family devices via iCloud.

6· 2.8k·4 current·4 all-time
by@liamnichols
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's claimed purpose (querying Find My via PyiCloud) aligns with the instructions to install and run the `icloud` CLI. Minor inconsistency: registry metadata lists no required binaries or credentials, but SKILL.md metadata and the runtime instructions explicitly require the `icloud` binary (pyicloud) and an Apple ID for authentication.
!
Instruction Scope
Instructions direct the agent to prompt for the user's Apple ID and run local CLI commands that create long-lived sessions. They also recommend storing the Apple ID in TOOLS.md/workspace config and advise using Python's eval() to parse CLI output — eval() on any string is dangerous and storing identifiers in workspace files can leak sensitive info to other skills or collaborators. The instructions don't direct data to external endpoints, but they do encourage persistent local storage of sensitive authentication state.
Install Mechanism
No install spec in the registry (instruction-only), but SKILL.md recommends using Homebrew + pipx to install pyicloud — both are common, legitimate package managers. There are no downloads from unknown URLs or extract steps. Platform is macOS-only (declared), which matches the brew-based install instructions.
!
Credentials
The skill requires interactive Apple ID credentials and 2FA to work, but the registry declares no primary credential or required env vars. The SKILL.md instructs storing the Apple ID in workspace files (TOOLS.md), which is disproportionate and increases leakage risk. The skill does not request passwords as env vars (the CLI prompts), but persistent session tokens are created on disk for 1–2 months — this is a sensitive artifact that should be considered before installation.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It relies on PyiCloud's session files stored in the user's home directory (described in the doc), which is normal for this tool. The skill does not attempt to modify other skills or global agent settings.
What to consider before installing
This skill is coherent with its stated purpose but has privacy and safety issues you should consider before installing: 1) It asks you to run a local CLI (pyicloud) that will prompt for your Apple ID, password, and 2FA — those credentials create session tokens stored on disk for 1–2 months. Treat those tokens as sensitive. 2) Do not store your password in TOOLS.md or any plaintext workspace file; storing the Apple ID is lower risk but may still reveal personal info. 3) The SKILL.md suggests using Python eval() to parse CLI output — avoid eval() on untrusted text and use a safe parser instead. 4) Confirm you trust the PyiCloud package source (pipx install) and that you want an agent that can run local shell commands. If you proceed, prefer manual authentication, avoid persisting secrets in shared workspaces, and inspect the PyiCloud package release on GitHub before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dx61emgm5bj1nbe6mtf9mgh7yr3ve

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📍 Clawdis
Binsicloud

Comments