Skillv1.0.0

ClawScan security

Lovefromio Sonoscli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 27, 2026, 2:05 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements, instructions, and install behavior are coherent with its stated purpose (a Sonos CLI); nothing requires unrelated credentials or elevated persistence.
Guidance: This skill appears to do what it says: build or use the 'sonos' CLI to control Sonos devices on your local network. Before installing, consider: 1) the install will compile a Go binary from the github.com/steipete/sonoscli module — if you don't already trust that project, review its source on GitHub. 2) The binary will access your local network (SSDP/UPnP) to discover and control speakers — that is required behavior. 3) Only provide SPOTIFY_CLIENT_ID and SPOTIFY_CLIENT_SECRET if you want Spotify search functionality and you trust the module to use them appropriately. 4) If you prefer a review step, install the binary manually yourself (go install) after auditing the repo rather than granting automatic installs.

Review Dimensions

Purpose & Capability: okName and description match the declared requirements (the skill needs a 'sonos' binary and provides commands to discover/control Sonos devices). The go install of github.com/steipete/sonoscli/cmd/sonos@latest directly corresponds to producing the expected 'sonos' binary.
Instruction Scope: noteSKILL.md instructs only local-network Sonos operations (discover/status/play/volume/group). It also mentions optional Spotify Web API usage and references SPOTIFY_CLIENT_ID/SECRET for Spotify search; those env vars are optional and are not required by default, but they are referenced by the instructions even though they are not declared in requires.env.
Install Mechanism: okInstall spec uses 'go' to fetch a GitHub module and build a binary — a normal, expected install for a CLI written in Go. This is preferable to arbitrary downloads. The module path appears consistent with the project name; the install will compile and write a binary named 'sonos'.
Credentials: noteThe skill declares no required environment variables (proportional). The only sensitive environment references are optional Spotify credentials mentioned in the docs; supplying those grants the binary access to your Spotify API credentials, which is expected for Spotify search but should be provided only if you trust the module.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent system-wide privileges. It does not modify other skills or agent-wide configuration according to the provided metadata.