Back to skill
Skillv1.0.2
ClawScan security
Find My · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 16, 2026, 9:07 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's scripts and instructions appear to do what they claim (local UI automation of the macOS Find My app), but there are metadata inconsistencies and important privacy/permission tradeoffs you should understand before installing.
- Guidance
- This skill appears to be a local UI-automation tool for macOS Find My and its scripts are readable shell code, but: - Verify the source: owner/homepage are unknown; confirm you trust the skill author before installing. - Reconcile metadata: SKILL.md requires peekaboo, jq, and PEEKABOO_BRIDGE_SOCKET, but the platform metadata lists none — ensure those requirements are present and correct. - Permission tradeoff: to work you must give OpenClaw.app Screen Recording and Accessibility access. Granting those permissions gives that app broad ability to capture your screen and control UI—only proceed if you trust OpenClaw. - Sensitive data: the skill takes screenshots of Find My and can view location data for people/devices; treat outputs (files in /tmp or configured FM_OUTPUT_DIR) as sensitive and clean them up if needed. - Runtime behavior: automation will move your mouse / block interaction while running; avoid running on remote/cloud machines or shared sessions. If you decide to install, inspect the scripts (they are plain Bash) and test in a controlled environment first. If the metadata inconsistencies worry you, ask the publisher to update platform metadata to explicitly declare required binaries and env variables before proceeding.
Review Dimensions
- Purpose & Capability
- noteThe scripts implement local UI automation of Find My using the peekaboo CLI and jq, which matches the stated purpose. However the registry metadata provided to the platform lists no required binaries/env, while SKILL.md declares required binaries (peekaboo, jq), an environment variable (PEEKABOO_BRIDGE_SOCKET), and macOS-only metadata — this mismatch is inconsistent and should be reconciled.
- Instruction Scope
- okRuntime instructions are limited to controlling Find My via Peekaboo (clicks, screenshots, switching tabs) and do not reference unrelated system files or network endpoints. They do capture screenshots of the Find My window and rely on UI automation (mouse clicks, focusing the app), which will be visible and block user input while running.
- Install Mechanism
- okThere is no remote install or download step; the skill ships scripts that run locally and expect peekaboo and jq to be installed. This is a low-risk install mechanism, though scripts included in the skill will be written to disk when installed.
- Credentials
- noteThe skill does not request unrelated credentials and only uses PEEKABOO_BRIDGE_SOCKET (plus optional FM_OUTPUT_DIR) per SKILL.md. It DOES, however, access highly sensitive data (location of people/devices and screenshots) by design. Additionally, the registry metadata did not declare these required env/binaries — an incoherence that should be fixed.
- Persistence & Privilege
- noteThe skill does not request 'always: true' and does not modify other skills. However it requires OpenClaw.app (Peekaboo bridge) to have Screen Recording and Accessibility permissions — granting those permissions to OpenClaw.app gives that app broad screen/input access on your machine, which is a significant privilege to accept even if the skill itself stays local.