Skillv1.0.2

ClawScan security

Imessage Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 3:11 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: 功能与说明基本一致，但内置的“远程控制”路径（通过 iMessage 接收并可能执行命令）加上脚本中存在 subprocess/执行能力，且源码在提交中被截断，带来不明确的执行/数据泄露风险 — 需要在启用远程控制前人工审计代码并限制管理员名单。
Guidance: This skill largely does what it says: it controls macOS Messages and offers a documented remote-control feature. However: - The remote-control feature (receiving commands via iMessage and executing them) is the main risk. It is default-disabled — keep it disabled unless you explicitly need it. - Before enabling remote control, manually review the full scripts/main.py to confirm how control commands are executed. Pay attention to any use of subprocess, os.system, exec/eval, or direct shell execution: these can be abused if whitelist/blacklist logic is bypassable. - Limit admin_contacts to a very small, trusted set (ideally your own number) and test allowed_commands/blocked_commands carefully. Prefer a minimal allowed_commands list. - Keep require_confirmation=true for sending to non-trusted contacts and do not add broad patterns to trusted_contacts. - Inspect security.log and control.log after running; consider moving logs to a location you control and reviewing entries regularly. - Because part of the shipped main.py is truncated in the provided package, treat the package as partially unverifiable until you can obtain and audit the complete source from a trustworthy origin (e.g., an official repo). If you cannot audit the full code, avoid enabling remote control and avoid running the skill with elevated privileges. If you want, I can scan the remaining parts of scripts/main.py (or search the file for subprocess/exec/osascript usage) to point out exact places to review.

Review Dimensions

Purpose & Capability: ok名称、描述和请求的系统依赖（macOS, Messages, 辅助功能权限、Python）一致。skill.json 声明使用 osascript/Messages，SKILL.md 和脚本都以 AppleScript/Apple 的 Messages 为实现手段，整体能力与声明相符.
Instruction Scope: concernSKILL.md 明确包含“远程控制”功能：检测以 '!' 前缀的控制命令并在确认管理员权限与白名单后执行。脚本导入了 subprocess（可执行 shell/osascript），并且主源码在提交中被截断，无法确认执行路径是否严格限制为安全的内部操作。虽然远程控制默认关闭且声明了白名单/黑名单机制，但自动检测并执行来自 iMessage 的命令（例如通过 recent check_control=true）扩大了攻击面，若实现不严谨可能导致任意命令执行或数据泄露.
Install Mechanism: ok没有下载不明二进制或外部安装脚本；这是指令+源码包（scripts/main.py）。没有使用不受信任的 URL 或短链接等高风险安装方式。风险主要来自运行时权限和代码行为，而非安装来源。
Credentials: ok未请求任何额外环境变量或外部凭证；要求的权限（辅助功能权限、已登录的 Apple ID）与操作 macOS Messages 相符。所需配置只是本地 config.json（可信联系人、管理员、白/黑名单等），总体比例合理。
Persistence & Privilege: ok不设置 always:true，也不会自动获得平台级别的强制常驻权限。脚本会在其技能目录写入 security.log 与 control.log（正常的本地日志行为）。未见修改其他技能/全局 agent 配置的迹象。