Skillv1.0.0

ClawScan security

Android Moblink Integration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 8:38 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are coherent with an Assistant that helps integrate MobTech MobLink into an Android project; it operates on local project files and requests the project-specific secrets it needs, and there is no evidence of unrelated credential requests or external exfiltration.
Guidance: This skill appears to do what it says: generate a local Excel template, read values (including appKey/appSecret), and patch an Android project (Gradle files, Privacy callback insertion, ProGuard rules). Before installing/using it: 1) Back up your project and use version control so you can review and revert any automatic edits. 2) Confirm the agent prompts are shown and explicitly approve each modification (SKILL.md says it will ask; don't skip confirmations). 3) Treat appSecret and signature MD5 as sensitive — keep them local and avoid copying them into public README files; verify the skill does not transmit them externally. 4) Ensure Python openpyxl is available in the agent environment (or be prepared for the agent to install it); lack of declared dependency could cause unexpected package installation. 5) Review the exact Gradle/ProGuard changes the agent will apply (the skill promises to show diffs) and verify spEdition (GPP/FP/IZNAO) before it writes gradle.properties. If you require higher assurance, run the script and file edits in an isolated environment first.

Review Dimensions

Purpose & Capability: okName/description, SKILL.md and included files all focus on integrating MobLink into Android projects. The included Python helper (generate_excel_template.py) is reasonable for generating a config template. The skill does not request unrelated credentials, binaries, or config paths.
Instruction Scope: noteThe SKILL.md instructs the agent to read and write files inside the user's Android project (create/copy an Excel template, read the filled Excel, modify Gradle files, insert privacy callback code, add ProGuard rules). These actions are within scope for an integration assistant, but they involve handling sensitive values (appKey/appSecret and signature MD5) and making code changes — the skill documents that it will ask for user confirmation before making changes, which is appropriate.
Install Mechanism: concernThere is no install spec (instruction-only), which keeps disk/exec risk low. However the included Python script imports openpyxl but the skill does not declare dependencies or an install step; the agent runtime may need to pip-install openpyxl to run the script. Lack of declared dependency may cause the agent to install packages at runtime — consider declaring dependencies or instructing the user to ensure openpyxl is available.
Credentials: noteThe skill does not request environment variables or external credentials. It will read sensitive project-specific values (appKey, appSecret, package signature) from the user-provided Excel file — this is necessary for the stated purpose but is sensitive. The skill includes a note to avoid printing the appSecret in generated documentation, which is good practice.
Persistence & Privilege: okalways is false; the skill is user-invocable and not force-included. It does not request persistent system privileges or modify other skills or system-wide agent configuration.