Skillv0.1.0

ClawScan security

Agent Tool Scout · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 8:12 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's capabilities match its description (controlling macOS apps via AppleScript/CLI), but the bundle contains a large embedded Python virtualenv and server-related code that are disproportionate to the stated simple instruction-only skill and increase the attack surface — review before installing or granting permissions.
Guidance: What to consider before installing and using this skill: - Origin and trust: The SKILL.md recommends 'pip install clam-mac' from PyPI. Confirm the package author and PyPI project (and check code/release history). The registry entry's homepage points to a GitHub repo — inspect that repo and confirm it matches the package on PyPI. - Review the code: The published bundle contains a full Python virtualenv (many site-packages) and a module named mcp_server. If you plan to install, review src/clam/mcp_server.py and any networking code to see whether it starts servers, binds ports, or sends data externally. - Minimize scope: Run pip install in an isolated environment (dedicated virtualenv or container/VM) rather than system Python. Avoid running it as root. - Be cautious with macOS permissions: The tool requires macOS Automation and Accessibility grants to control other apps — granting those gives the installed tools significant control over your system. Only grant them after you trust the code. - Check credential access: The bundle contains keyring-related packages. If the package attempts to access the system keychain or other secret stores, confirm why and whether that behavior is necessary. - Prompt-injection artifact: The unicode-control-chars finding suggests obfuscated characters in SKILL.md; view the raw file (e.g., in a hex-capable editor) to ensure there is no hidden malicious content or misleading text. - If you need networked behavior: be explicit about it. If you do not want a persistent server, do not run MCP-server components (or run them in an isolated VM and firewall any listening ports). - If unsure: test in a disposable environment (VM) first and audit the installed package files and any network/listening sockets after installation. Prefer manual review or prefer using known, audited packages instead of blindly installing large third-party bundles.
Findings: [unicode-control-chars] unexpected: The pre-scan detected unicode control characters in SKILL.md which can be used for prompt-injection or display obfuscation. This is not expected for a benign documentation/instruction file and should be inspected to ensure there are no hidden characters designed to manipulate parsers or reviews.

Review Dimensions

Purpose & Capability: noteThe name/description (generate CLI wrappers, control Mac apps via AppleScript) align with the declared requirements (osascript + pip) and SKILL.md instructions. However, the published bundle contains a huge set of code files (a full virtualenv/site-packages, tests, an MCP server, and many source files). Declaring the skill as instruction-only while shipping a large codebase (including third-party packages) is inconsistent and disproportionate: an instruction-only skill should not need the entire venv embedded. The presence of mcp_server.py and other runtime code is more than expected for a simple wrapper generator.
Instruction Scope: noteThe SKILL.md instructs the agent to run pip install clam-mac and to use clam commands that scan the system, install CLI wrappers, and execute AppleScript (via osascript). Scanning installed apps and generating wrappers logically requires reading system app metadata and invoking osascript; that is consistent with purpose. The instructions explicitly require Automation/Accessibility permissions (macOS privacy), which is appropriate but sensitive. The instructions do not ask for unrelated files or environment variables and do not explicitly transmit data to external endpoints, but the included codebase (MCP server) implies possible networking behavior beyond what SKILL.md documents.
Install Mechanism: concernThe SKILL.md recommends 'pip install clam-mac' (a standard, expected distribution method). However, the skill bundle as published includes many code files including an entire virtualenv/site-packages tree and tests. That is inconsistent with the 'no install spec / instruction-only' listing and unusual: bundling a full venv in the skill increases disk footprint and attack surface (multiple third-party packages). There is no external download URL in the skill metadata, but if the agent follows the SKILL.md and pip-installs the package, it will pull code from PyPI (expected). The inconsistency between 'instruction-only' and the presence of full source + venv is a red flag worth manual review.
Credentials: noteThe skill declares no required environment variables or credentials, which is proportionate to its stated local-automation purpose. Nonetheless, the included codebase contains packages (keyring, requests, and other libs) and a module named mcp_server — these could interact with system keyrings or open network endpoints if executed. While nothing in SKILL.md asks for secrets, the presence of keyring-related code means the installed package, if executed, might access system credential stores (this may be legitimate for certain integrations but should be reviewed).
Persistence & Privilege: noteThe skill is not 'always: true' and does not declare elevated privileges. Still, the project includes an MCP server component and README instructions describing registering an MCP server (Claude Code / MCP). Running or enabling that server would create a persistent network-exposed capability and increase blast radius. Granting Automation/Accessibility permissions (required for many commands) is also sensitive — SKILL.md correctly warns about those macOS permissions. The combination of potential networking (mcp_server) plus local automation permissions merits caution.