ClawHub

Agent Device

v1.0.1

Automates interactions for iOS simulators/devices and Android emulators/devices. Use when navigating apps, taking snapshots/screenshots, tapping, typing, scr...

3· 965·8 current·9 all-time
byOskar Kwaśniewski@okwasniewski
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the provided SKILL.md and reference files: everything documents CLI commands for iOS/Android automation (open, snapshot, press, replay, logs, record, batch, etc.). There are no unrelated required binaries, credentials, or install steps requested by the manifest that would contradict the stated purpose.
Instruction Scope
The instructions legitimately direct the agent to run local CLI commands and to read/write session logs and replay scripts under ~/.agent-device (and platform-specific paths like ~/Library/Logs/DiagnosticReports). This is expected for a mobile automation tool, but those steps do give the skill access to potentially sensitive local app logs and artifacts; references also mention optional signing env vars for physical iOS devices. The SKILL.md does not instruct exfiltration to external endpoints.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code, minimizing install risk. The doc recommends preferring a preinstalled binary or pinning an exact package version if installing via npx, which is reasonable guidance.
Credentials
The manifest declares no required env vars; the docs reference optional sensitive variables (AGENT_DEVICE_IOS_TEAM_ID, AGENT_DEVICE_IOS_SIGNING_IDENTITY, AGENT_DEVICE_IOS_PROVISIONING_PROFILE, AGENT_DEVICE_APP_LOG_REDACT_PATTERNS) that are proportionate to iOS physical-device signing and log redaction. These are optional and the docs explicitly advise treating them as sensitive; still, providing signing credentials would be high privilege and should be done only when necessary.
Persistence & Privilege
always is false; the skill does not request forced inclusion or modification of other skills. It documents writing logs, session state, daemon metadata, and saved replay scripts under ~/.agent-device and explicit paths you supply, which is appropriate for its function and scoped to its own data.
Assessment
This skill appears coherent and matches its description, but be aware of two practical risks: (1) logs and session artifacts are written to your home (~/.agent-device) and may contain sensitive runtime data — review and redact before sharing; (2) iOS physical-device workflows may require optional signing environment variables (team ID, signing identity, provisioning profile) which are sensitive — do not populate these unless you trust the environment and understand the implications. Prefer using an already-installed, pinned agent-device binary (or a pinned npx invocation) and run automation in isolated/least-privilege environments when granting signing or CI access. If you need higher assurance, ask the publisher for an exact binary/package URL or provenance and a reproducible install artifact to audit before installing or running.

Like a lobster shell, security has layers — review code before you run it.

latestvk9758scrx8b23xwafhfwqtjdw581m0xg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments