Skillv1.0.0

ClawScan security

xgorobot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 16, 2026, 11:41 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to be a legitimate XGO robot control package, but it asks for an external API key and its runtime instructions and code perform privileged local actions and send camera images to a third‑party endpoint, which are disproportionate or sensitive for some uses.
Guidance: This skill is largely coherent with its stated purpose (controlling XGO robots), but it has several important caveats you should consider before installing or providing credentials: - API key & image uploads: The skill will (when using AI scripts) capture camera frames and POST base64-encoded images to https://dashscope.aliyuncs.com using DASHSCOPE_API_KEY. Only provide that key if you trust that service and understand images from the robot will leave your network. - Broad 'required' API key: The metadata marks DASHSCOPE_API_KEY as required for the skill even though many motion/sensor scripts don't need it. If you don't need AI features, avoid setting that env var or run only the scripts that don't call the remote API. - Local privileged operations: The included libraries open /dev/ttyAMA0, touch GPIO, and call sudo pinctrl. Run this skill only on a dedicated Raspberry Pi or device intended to control the robot; do not run on a general-purpose host where those commands could affect other services. Avoid running the skill as root; check whether the sudo commands will block or fail. - Execution of arbitrary local code: SKILL.md examples show executing scripts from the skill directory and arbitrary custom scripts (/tmp/my_script.py). That means any agent or user command that invokes the skill can execute Python on your device — audit or sandbox custom code and only run scripts you trust. - Review & limit network exposure: If you must use the AI features but want to limit data leakage, consider using a local/offline model instead of the remote API, or place the device behind a firewall and use an API key with tight scope and revocation capability. Monitor network traffic and rotate the API key if it is exposed. - If unsure, test in a controlled environment (isolated Pi, no sensitive camera-facing location) and review the specific scripts you plan to run. If you want, I can extract the exact lines that perform network access, sudo invocation, and serial/GPIO usage so you can audit them more easily.

Review Dimensions

Purpose & Capability: noteName/description, script list and libraries match a robot-control skill (motor, vision, sensors, display). However the skill declares DASHSCOPE_API_KEY as a required (primary) credential even though only some AI/vision scripts use it — making the key mandatory for the whole skill is broader than strictly necessary for basic motion/control.
Instruction Scope: concernSKILL.md requires the agent to run shell commands on the host (cd into /home/pi/.npm-global/... and run a specific Python virtualenv) and gives examples that run arbitrary scripts (including /tmp/my_script.py). The docs instruct using a host-specific virtualenv path (/home/pi/RaspberryPi-CM5/blocklyvenv/bin/python) and node_modules path — these are environment-specific and grant the skill the capability to execute arbitrary code on the device. The codebase also contains network calls that POST base64-encoded camera images to an external API (dashscope.aliyuncs.com), which causes sensitive sensor data (camera) to be transmitted off-device.
Install Mechanism: okNo install spec is provided (instruction-only installer in metadata), so nothing is downloaded during install by the registry. Code files are included in the skill package rather than being pulled from arbitrary third-party URLs — this lowers install-time risk.
Credentials: concernThe skill requires a single env var DASHSCOPE_API_KEY as primary credential. That maps to calls in scripts (e.g., ai_find_step) which call https://dashscope.aliyuncs.com and require the key — so the key is relevant to AI features. But making it mandatory for the whole skill is disproportionate because basic motion, sensor reads, and many scripts do not need that key. Also the skill will transmit camera images to the external API when used, which is a privacy/credential-sensitive operation and should be explicit to the user before providing the key.
Persistence & Privilege: noteThe skill is not always:true and does not claim system-wide persistence. However the runtime code assumes and attempts privileged hardware access: it opens /dev/ttyAMA0 for serial communication, manipulates GPIO and pinctrl via os.system('sudo pinctrl ...'), and uses RPi-specific libraries. Those behaviors require local hardware privileges (GPIO/serial) and possibly sudo. This is expected for robot control but is high privilege and should be granted only on trusted dedicated devices.