Skillv0.6.1

ClawScan security

Mac Node Bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 20, 2026, 8:40 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are coherent with its stated purpose (creating SSH-backed wrappers so a Linux gateway can run macOS binaries) and do not request unrelated credentials or install third-party code from the network.
Guidance: This skill appears to do exactly what it says: create SSH wrappers that execute a single remote macOS binary. Before installing: (1) ensure you control and trust the target Mac(s); (2) use a dedicated SSH key and a non-root account on the Mac; (3) prefer passing --ssh-key and --known-hosts so the wrapper is constrained to a key and known-hosts file; (4) inspect the generated wrapper file to confirm it calls only the intended absolute binary (remote-bin must be an absolute path); (5) run scripts/verify-node-tool.sh first to confirm the remote binary exists; and (6) avoid pointing wrappers at shells or generic remote shells (that would let the wrapper run arbitrary commands). The main remaining risk is operational: these wrappers execute commands on remote hosts you designate—if the remote host or SSH key is compromised, the bridge grants remote execution, so follow the least-privilege and auditing guidance in references/security-model.md.

Purpose & Capability: okName/description, SKILL.md, and included scripts all implement the same feature: create small SSH-based wrapper scripts to run a specific macOS binary on a remote Mac. There are no unrelated environment variables, host endpoints, or unnecessary dependencies requested.
Instruction Scope: okSKILL.md and scripts only direct the agent/user to verify remote binaries via SSH, create per-tool wrappers, and test them. The instructions explicitly require passwordless SSH and limit scope to single binaries; they do not attempt to read or exfiltrate unrelated files or secrets. The workflow is narrow and documented.
Install Mechanism: okThis is instruction-only with local shell scripts that write wrapper files into user-controlled directories. There are no downloads from remote URLs or package manager installs; nothing arbitrary is fetched or executed from third-party servers during install.
Credentials: okThe skill does not require secrets or env vars beyond conventional path variables (OPENCLAW_BIN_DIR, XDG_DATA_HOME, HOME) and optional SSH key/known_hosts arguments passed at install time. Requested data is proportional to the bridge purpose.
Persistence & Privilege: okThe skill does not request always:true or other elevated platform privileges. It installs per-user wrapper scripts and does not modify other skills or global agent settings.