Back to skill
Skillv0.6.1
ClawScan security
Src · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 20, 2026, 8:40 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (creating SSH-based wrappers to run macOS binaries from a Linux gateway); nothing requested is disproportionate to that goal.
- Guidance
- This skill appears to do exactly what it says: create small SSH wrappers so a Linux gateway can call macOS binaries on trusted Mac nodes. Before installing, ensure you have passwordless SSH set up with a scoped key (prefer one key per gateway or per-node), pin known_hosts if possible, and install wrappers as a non-root user into an expected directory. Review the generated wrapper scripts (they exec ssh and pass args through to the remote binary) so you understand exactly what remote commands will run and to confirm no broad shell bridging is being created. Do not store private keys or OAuth tokens in the skill folder; revoke or rotate the dedicated SSH key if you remove the wrapper. If you need stricter isolation, test in a sandboxed account/machine first. Overall the design is coherent, but pay attention to SSH key management and quoting/argument handling in your environment.
Review Dimensions
- Purpose & Capability
- okName/description (macOS-to-Linux bridge) align with included scripts and instructions. The scripts only require SSH access to a Mac node and create wrapper scripts that invoke remote binaries; there are no unrelated env vars, downloads, or surprising dependencies.
- Instruction Scope
- noteSKILL.md is prescriptive and scoped to installing/verifying wrappers and publishing wrapper-aware skills. It explicitly requires passwordless SSH and instructs where wrappers are placed. Minor implementation notes: wrappers forward arguments to remote binaries and invoke ssh 'bash -lc' with a quoted command string — this is expected for the use case but means the remote shell interprets the constructed command, so correct quoting and least-privilege wrappers are important.
- Install Mechanism
- okNo remote install/downloads or package installs; the skill is instruction-first and includes local scripts only. Nothing in the scripts fetches or executes code from arbitrary URLs.
- Credentials
- okThe skill does not request additional credentials or config; it relies on standard SSH keys/known_hosts and optional env vars (OPENCLAW_BIN_DIR, XDG_DATA_HOME, HOME) for install paths. That is proportional to the described functionality. The skill explicitly advises best practices for SSH key scoping and not storing secrets in the skill folder.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. Installation writes wrapper scripts to a user-visible bin directory (configurable) which is normal and limited in scope. The skill does not modify other skills or system-wide agent settings.