Back to skill
Skillv1.0.1
ClawScan security
ukui-settings · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 9:24 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it provides a Python wrapper around the gsettings tool to export/apply UKUI presets, requests only the expected binaries, and does not ask for unrelated credentials or network access.
- Guidance
- This tool is coherent with its purpose but it will change your desktop settings when you run apply. Before applying a preset: (1) review the preset JSON to ensure it doesn't contain private paths or unexpected values, (2) export a backup of your current settings (use export/export-ukui), and (3) be cautious if allowing autonomous agents to invoke this skill since it can silently change gsettings. No network access or credentials are requested by the skill itself.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation. The script requires gsettings and python3 (declared) and only calls gsettings to list/get/set keys and reads/writes local preset JSON files — all are expected for a gsettings presets tool.
- Instruction Scope
- noteSKILL.md and the script limit actions to calling gsettings and reading/writing presets in the skill directory or a user-specified path. This stays within the stated purpose. Caveat: applying a preset will change user desktop settings (including keys that may contain absolute paths or other sensitive values), so presets should be reviewed before use; the SKILL.md already warns about not including private data in presets.
- Install Mechanism
- okNo install spec; this is an instruction-only skill with a small included Python script. Nothing is downloaded or written to unexpected system locations.
- Credentials
- okThe skill requests no environment variables or credentials. Its file access is limited to the skill directory presets or user-specified paths — appropriate for its function.
- Persistence & Privilege
- notealways is false (normal). The skill allows autonomous invocation (platform default). While this is expected, note an agent could call the skill to change the user's gsettings without an explicit manual command; combine this with the fact that applying presets modifies desktop settings — review presets and invocation policies if you don't want automated changes.