ROS
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is openly a ROS robot-control tool, but it gives the agent broad ability to move or reconfigure robots without visible safety limits or approval guardrails.
Install only if you intentionally want an agent to control a ROS/ROS2 robot. Before use, make sure the robot is in a safe supervised environment, rosbridge is not exposed to untrusted networks, and the agent must ask for confirmation before any movement, service call, parameter change, or action goal.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly or invoked from an ambiguous request, the agent could move or reconfigure a robot in a way that affects people, equipment, or the environment.
These commands let the agent mutate robot state and issue physical movement or action goals. That matches the skill purpose, but the artifacts do not show approval requirements, allowlists, safety bounds, or containment for high-impact robot-control actions.
`topics publish <topic> <msg_type> <json>`, `services call <service> <type> <json>`, `params set <node:param> <value>`, `actions send <action> <type> <json>` and examples such as publishing `/cmd_vel` to move forward for 3 seconds.
Use only with supervised robots in a safe area. Add explicit confirmations for movement, parameter changes, service calls, and actions; consider topic/service allowlists, speed and duration limits, and an emergency-stop workflow.
Robot telemetry, sensor readings, and control commands may be visible or modifiable on networks where rosbridge is not otherwise protected.
The CLI communicates with rosbridge over a plain WebSocket URL and accepts a user-specified IP/port. This is expected for rosbridge integration, but users should understand that robot commands and sensor data traverse that connection.
url = f"ws://{ip}:{port}"Run rosbridge only on trusted networks or behind appropriate authentication, VPN, firewalling, or TLS/WebSocket proxy controls.
The installed dependency version may vary across environments, which can affect reproducibility and supply-chain assurance.
The dependency installation is user-directed and purpose-aligned, but the package is not pinned in the instructions and there is no install spec to lock the version.
pip install websocket-client
Install dependencies from trusted package indexes and consider pinning a known-good `websocket-client` version in a reviewed environment.