dokidoki
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s instructions match its stated purpose of controlling BLE devices, but users should notice that it can actuate nearby hardware through an external CLI and start a background daemon.
Install this only if you want an agent/terminal workflow to control your BLE device. Verify the external npm CLI first, keep control actions user-directed, and use the documented pause, disconnect, status, and stop commands when finished.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used unintentionally or on the wrong device, the agent could cause a connected BLE device to move or vibrate.
The skill exposes commands that can directly actuate BLE-connected devices and play timed action sequences. This is expected for the stated purpose, but it has real-world effects.
`doki player play [audio] <timeline.json>` ... `doki action linear 50` ... `doki action vibration 80` ... `doki action pause`
Use this skill only for devices you intend to control, and prefer explicit user confirmation before running connect, playback, or direct action commands.
A background process may continue running after a scan or connection until it is stopped.
The skill documents a background daemon that can auto-start, along with explicit stop and status commands. This persistence is disclosed and related to the device-control purpose.
`doki scan` - Scan for BLE devices (auto-starts daemon) ... `doki start` - Start background daemon ... `doki stop` - Stop background daemon
Check `doki status` and run `doki stop` or `doki disconnect` when you are done using the device.
Installing the referenced CLI gives external package code access to run locally and interact with Bluetooth hardware.
The skill relies on an external global npm-installed CLI, and the reviewed artifact set did not include that package’s code or a pinned package version.
"install":[{"id":"npm","kind":"npm","package":"@tryjoy/dokidoki","global":true,"bins":["doki"],"label":"Install dokidoki (npm)"}]Verify the npm package source and version before installing, and install it only from a trusted registry/account.