Skillv1.0.0

ClawScan security

Carrera HYBRID BLE Controller · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 5, 2026, 11:02 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is internally consistent: it provides BLE protocol docs and a Python script to control Carrera HYBRID RC cars, and it only asks you to install BLE-related Python packages — there are no unrelated credentials, network endpoints, or unexplained install steps.
Guidance: This package appears to do what it claims: control and reverse-engineer Carrera HYBRID cars via BLE. Before installing: (1) Review and run in a Python virtualenv and inspect the bless package source if you plan to use the MITM features. (2) Edit the ADDRESS in scripts/carrera_drive.py or use the provided scanner snippet to find your car. (3) Be aware the MITM instructions describe intercepting an app-to-car connection — do not perform that on devices you do not own or have explicit permission to analyze. (4) No external network endpoints or secrets are requested by the skill, but any code you run has access to your local system and Bluetooth adapter, so run only on a trusted machine.

Review Dimensions

Purpose & Capability: okName/description match the included files: protocol documentation and a BLE drive script. Required libraries (bleak, bless) and Linux/BlueZ are appropriate for BLE control and MITM capture. Minor note: the SKILL.md claims 'Telegram remote control' support but doesn't include a ready Telegram bot implementation — it only suggests mapping callbacks to run the script.
Instruction Scope: noteInstructions stay within the stated purpose (driving, reverse-engineering via BLE). They include a MITM proxy method using 'bless' (explicitly describing how to create a fake peripheral and log writes) and a small Bleak-based scanner snippet; both are relevant to reverse-engineering but the MITM guidance can be used to intercept another person's device — it's within scope but ethically/legal considerations apply. The skill does not read unrelated system files or request extra environment variables.
Install Mechanism: okNo install spec (instruction-only) and the README asks to pip install bleak and bless. This is proportionate: bleak is the standard Python BLE client; bless is referenced for MITM capture. No downloads from untrusted URLs or archives are included.
Credentials: okThe skill declares no environment variables, no credentials, and no config paths. The code uses a hard-coded ADDRESS placeholder that the user must edit or replace with a scanner-run value.
Persistence & Privilege: okalways is false and the skill does not request persistent system privileges or modify other skills/configs. The skill is user-invocable only and does not ask to run autonomously with elevated presence.