Skillv1.0.0

ClawScan security

perfetto-analyse · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 13, 2026, 5:01 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions align with its stated purpose (capturing and analysing Perfetto traces); it requires no unexplained credentials or privileged persistence, though you should verify Python/pip installs and the optional downloaded trace_processor binary before running.
Guidance: This skill appears to do what it says: capture and analyse Perfetto traces. Before installing/using it: (1) Confirm you have adb, Python, and pip locally if you intend to capture traces or run the script. (2) Inspect/verify the 'perfetto' Python package/version on PyPI (requirements.txt uses perfetto>=0.0.0 which is a placeholder) and be aware pip installing a package runs code during install. (3) When following SKILL.md suggestions to download trace_processor via curl, prefer the official URL (get.perfetto.dev is the documented host) and verify the binary checksum if possible. (4) The included Python script runs arbitrary SQL against local trace files — do not run untrusted SQL files or traces from unknown sources. Overall the package is internally consistent with its stated purpose.

Purpose & Capability: okName/description match the included files: docs, .pbtx example configs, and a small query script. There are no unrelated environment variables, credentials, or config paths requested that would contradict a Perfetto trace analysis tool.
Instruction Scope: okSKILL.md focuses on trace capture, TraceConfig editing, and running SQL queries against local trace files. It references adb, perfetto/trace_processor, and the included Python script; it does not instruct reading unrelated system files or exfiltrating data to remote endpoints. The agent may need adb/curl/python available, which SKILL.md assumes.
Install Mechanism: noteThis is instruction-only (no install spec). The docs tell users to pip install the 'perfetto' Python package and optionally curl get.perfetto.dev/trace_processor — both are expected for trace processing. Minor oddity: scripts/requirements.txt pins 'perfetto>=0.0.0' which is effectively a placeholder; you should verify the package and version on PyPI before installing.
Credentials: okThe skill requests no environment variables, secrets, or config paths. The script operates on user-supplied trace files and SQL only. No credentials or unrelated env vars are requested or used.
Persistence & Privilege: okSkill does not request persistent/always-on privileges and does not modify other skills or system-wide settings. Autonomous invocation is allowed by default but the skill has no elevated privileges.