Skillv1.0.0

ClawScan security

android record screen and extract key frames · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 16, 2026, 8:25 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (record via scrcpy, re-encode with ffmpeg, extract key frames); the main risks are expected system-level actions during installation (udev rules, sudo) rather than any covert behavior.
Guidance: This skill appears to be what it claims: it records an Android device with scrcpy and extracts key frames with ffmpeg. Before installing/running: review scripts/install.sh because it will prompt to install packages and (on Linux) add you to plugdev and write /etc/udev/rules.d/51-android.rules (requires sudo). Only run the install script if you trust these changes; consider running the workflow manually if you prefer (install adb/scrcpy/ffmpeg via your package manager and run scripts/main.sh commands). Verify packages come from your distro's or Homebrew repositories, and back up any system udev rules if you are concerned. If you only want to run extraction against existing videos, you can skip the install and recording steps and run the extract-frames command on local files.

Purpose & Capability: okName/description (record Android screen, set keyframe interval, extract key frames) align with the included scripts and README. The scripts legitimately require adb, scrcpy, ffmpeg and perform the described operations.
Instruction Scope: okSKILL.md and scripts instruct only local actions: checking for tools, using scrcpy to record, using ffmpeg/ffprobe to analyze and re-encode, and listing PNGs. The scripts probe the connected device (adb devices, getprop) which is expected for this use case. There are no external network endpoints, hidden uploads, or instructions to read unrelated system files.
Install Mechanism: noteThere is no remote code download, but scripts/install.sh performs system changes: installing packages (brew/apt), adding the user to plugdev, writing a udev rules file to /etc/udev/rules.d and reloading rules. These are expected to enable USB access to Android devices but require sudo/admin rights and will modify system configuration.
Credentials: okNo credentials or sensitive environment variables are requested. Only optional env vars are KEYFRAME_INTERVAL and OUTPUT_DIR which are appropriate for the task.
Persistence & Privilege: noteThe skill does not request persistent automatic inclusion (always:false) and does not modify other skills. However, the install script requires and uses elevated privileges (sudo) to modify udev rules and groups — a necessary but privileged action to access USB devices.