ClawHub

clawdbot-macos-build

v1.0.0

Build the Clawdbot macOS menu bar app from source. Use when you need to install the Clawdbot.app companion (for menu bar status, permissions, and Mac hardware access like camera/screen recording). Handles dependency installation, UI build, Swift compilation, code signing, and app packaging automatically.

1· 2k·9 current·9 all-time
by@manish-basargekar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a legitimate macOS build flow (git clone, pnpm install, Swift build, codesign, install to /Applications). However the registry metadata lists no required binaries or source/homepage even though the instructions require Xcode, Node.js, pnpm and reference a GitHub repository — that metadata omission is inconsistent.
!
Instruction Scope
The instructions tell the user/agent to clone https://github.com/clawdbot/clawdbot.git and run build/package scripts (pnpm install, scripts/package-mac-app.sh) without recommending verification (commit hash, signatures). Running those scripts will execute arbitrary code from a remote repo and can require sudo and produce system changes (install to /Applications, launchd management, TCC permission prompts). The SKILL.md does not instruct verifying the packaging script prior to execution.
Install Mechanism
This is an instruction-only skill (no install spec), which avoids writing code into the agent. But the build performs network downloads (git clone, pnpm install, Swift package fetch) and executes repository scripts — a normal part of building but a higher-risk action because it executes third-party code obtained at runtime.
Credentials
The skill does not request environment variables or credentials. The instructions optionally reference a developer signing identity for production builds, which is reasonable and optional. No unrelated secrets are requested by the skill itself.
!
Persistence & Privilege
The workflow installs an app into /Applications, may manage launchd services, and requires granting system permissions (Accessibility, Screen Recording, Camera, etc.) to the built app. These are expected for a macOS companion app, but they are privileged actions and the skill does not surface or require explicit safeguards (for example verifying the build script) before performing them.
What to consider before installing
This skill appears to implement a normal macOS build, but exercise caution because it clones and executes code from a remote repository and performs privileged installs. Before running: - Verify the repository and maintainer: confirm the GitHub URL is official and prefer a pinned release tag or commit hash rather than cloning HEAD. - Inspect scripts/package-mac-app.sh and any build scripts in the cloned repo before executing; they can run arbitrary commands on your machine. - Consider building inside an isolated environment (Disposable macOS VM or dedicated account) to limit exposure. - Expect to grant system permissions to the final app and possibly use sudo to install to /Applications; do not run unknown scripts as root without review. - If you need production-signed builds, use your own Developer ID certs and never paste private keys or secrets into untrusted scripts; prefer ad-hoc signing for local testing. - Because the skill metadata lacks a declared source/homepage and omits required binaries, seek confirmation from the package owner or official docs before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cq10z311xst01dermy5qben7zx917

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments