Skillv1.0.3

ClawScan security

MoreLogin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 1, 2026, 6:25 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is a local CLI wrapper for the MoreLogin Local API; its files, dependencies, and runtime instructions are coherent with that purpose and do not request unrelated credentials or perform suspicious actions.
Guidance: This skill appears to do what it claims: a local CLI to control MoreLogin's Local API. Before installing, confirm you want to run a Node CLI that will: (1) call http://127.0.0.1:40000 (local only) to manage profiles/cloud phones, (2) install Node packages (npm install) which by default will also download devDependencies like Playwright/puppeteer that are large, and (3) optionally use adb (the brew formula installs android-platform-tools). Recommended precautions: run npm install with NODE_ENV=production or remove devDependencies if you only need the CLI; review bin/morelogin.js and common helpers if you want to be sure of specific network calls; do not commit any API tokens or MORELOGIN_TOKEN into repositories—store them in your secret manager if needed; verify the MoreLogin local API port on your system (docs show 40000 in some places and 5050 in others) and ensure MoreLogin desktop is the expected version. If you need a stricter footprint, consider running the CLI in an isolated environment (container or VM) and audit network access during use.

Review Dimensions

Purpose & Capability: okName/description match the implemented artifacts: a Node CLI that calls the MoreLogin Local API on localhost and exposes browser profile, cloud phone, proxy/group/tag management. Declared requirements (node, adb) and the brew install of android-platform-tools are appropriate for ADB-related features. Minor documentation inconsistencies exist (some docs mention port 5050 while SKILL.md/README-OFFICIAL-API use 40000), but this looks like stale docs rather than malicious mismatch.
Instruction Scope: noteSKILL.md and the included docs constrain operations to the MoreLogin Local API (localhost) and describe expected flows (start/status/close, cloudphone info/ADB metadata, CDP connections). The instructions do not direct reading of unrelated host files or exfiltration. Notes: several docs/INSTALL.md suggest optional local config steps (TOOLS.md, optional env vars like MORELOGIN_API_URL/MORELOGIN_TOKEN) and include examples that mention ADB commands — review these optional steps to avoid accidentally persisting tokens in repo/config files.
Install Mechanism: noteInstall steps are npm install for the CLI and a Homebrew formula for adb (android-platform-tools). These are standard for a Node-based CLI that interacts with local devices. Caveat: npm install will pull devDependencies listed (playwright, puppeteer-core) which are large and may download additional browser artifacts; consider installing with production mode or pruning dev deps if you want a minimal footprint.
Credentials: okThe skill does not require secrets or external service credentials to operate; required binaries (node, adb) match the feature set. Some docs show optional env vars and advise storing an API token in config (user-provided), but these are optional and not declared as required. No unrelated credential names or excessive env access are requested.
Persistence & Privilege: okSkill is not force-included (always: false) and does not declare system-wide modifications. It provides a CLI and examples that run on demand; nothing in the repo indicates it will persistently modify other skills or global agent settings.