Back to skill
Skillv1.0.0
ClawScan security
Dht11 Temp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 10:10 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions are consistent with its stated purpose (reading a DHT11 on a Raspberry Pi); there are minor documentation/path mismatches and a small bug but no signs of exfiltration or unrelated privileges.
- Guidance
- This skill appears to do exactly what it says: read a DHT11 sensor on a Raspberry Pi. Before installing, verify the script path (SKILL.md examples reference scripts/dht/main.py but the file is scripts/main.py), and update cron/examples accordingly. Install RPi.GPIO with pip3 as instructed and run with sudo (GPIO access commonly requires root). Note there is a minor bug: the script's return and the variable names in main may swap temperature/humidity output — test it once interactively to confirm output order. There is no network or credential access in the code, so there are no obvious exfiltration concerns.
Review Dimensions
- Purpose & Capability
- noteThe name/description (read DHT11 on GPIO) match the included Python script which uses RPi.GPIO and reads a GPIO pin. Minor inconsistencies: SKILL.md lists RPi.GPIO among required 'bins' (RPi.GPIO is a Python module, not a binary) and examples refer to scripts/dht/main.py while the repository file is scripts/main.py.
- Instruction Scope
- noteInstructions only tell the agent to install RPi.GPIO and run the script (with sudo or via DHT_PIN env/CLI arg). They do not attempt to read unrelated files, contact external endpoints, or harvest credentials. The SKILL.md references an incorrect script path (scripts/dht/main.py) which is inconsistent with the actual file (scripts/main.py).
- Install Mechanism
- okNo automated install spec is provided (instruction-only). SKILL.md recommends pip3 install RPi.GPIO, which is proportionate and expected. Nothing is downloaded from arbitrary URLs or written by an install step.
- Credentials
- okNo credentials or sensitive environment variables are requested. The optional DHT_PIN env var is appropriate for GPIO pin configuration. No unrelated secrets or config paths are required.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistent privileges beyond the normal need to run GPIO access as root (usage shows sudo). It does not modify other skills or system-wide configs.