Skillv1.1.4

ClawScan security

Audio Broadcast · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 21, 2026, 10:58 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (control Xiaoboshu broadcast devices), but the package includes embedded credentials and APIs that can be repurposed to send callbacks to external hosts — those inconsistencies warrant caution before installation.
Guidance: Before installing or enabling this skill: - Inspect and remove or replace the bundled config.json: it contains an ID, token, host and username (admin). Do not use the included token; instead run the provided login command to store your own credentials, or delete the file so the script cannot operate until you configure it. - Treat endpoints that set report/callback IPs (setreportudpip, setwaringlinewifi, etc.) as sensitive: they can be used to make devices call out to external hosts. If you will use this skill, verify it cannot be used to send device data or callbacks to attacker-controlled servers. - The SKILL.md suggests creating a cron job under /root/.picoclaw/… — avoid blindly copying that path. If you need scheduled cleanup, run it under an appropriate unprivileged account and review the script first. - The package expects external tools (ffmpeg, eyeD3, Edge TTS tooling) but does not declare them; ensure you only install tools you trust. - If you want higher assurance, ask the maintainer/source for: (1) the origin of the bundled config.json (why is an admin token included?), (2) confirmation that the token is a placeholder, and (3) a minimal list of endpoints the skill will call and any side-effecting functions (especially callbacks or report-setting APIs). If you cannot verify those, consider running the skill in an isolated network or decline installation.

Review Dimensions

Purpose & Capability: noteName/description match the code and documentation: the scripts implement login, device/file/task management, playback and TTS as described. However the package ships a config.json containing host/id/token/username (admin token) which is unexpected for a 'no-credentials-required' skill and is disproportionate to a purely instruction-only helper.
Instruction Scope: concernSKILL.md and scripts instruct the agent to read and write a local config.json and to POST to many /user/* endpoints on the configured host. The API surface includes endpoints for setting report UDP IPs and callback URLs (setreportudpip, setwaringlinewifi, precacheurlwifi, etc.) — these allow configuring device callbacks and can be used to exfiltrate data or direct devices to external hosts if misused. The docs also recommend creating a cron job under /root/.picoclaw/... which presumes privileged or specific filesystem layout. The skill also expects external binaries (ffmpeg, eyeD3) for metadata operations even though none are declared.
Install Mechanism: okNo install spec; this is an instruction-plus-scripts package (no downloaded code at install time). That lowers install-time risk because nothing is fetched from arbitrary URLs.
Credentials: concernDeclared requirements are empty, but the code relies on a local config.json for credentials. The shipped config.json contains host=127.0.0.1:12080 and a token and username (admin). Including credentials in the bundle is unexpected and risky: it may expose an account/token or cause the skill to operate using someone else's credentials. There is a mismatch between declared 'no credentials' and the practical need for an id/token.
Persistence & Privilege: notealways:false and the skill is not automatically forced into every agent run. The docs recommend adding a daily cron job to run cleanup_tts.py (persistence on the host if the user follows guidance). That is not intrinsically malicious but creates ongoing privileged activity if scheduled under root paths suggested in the README.