Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: aster Version: 0.1.14 The skill bundle is classified as suspicious due to the extremely broad and powerful access it grants to a mobile device, including the ability to execute shell commands (`aster_execute_shell`), read/write/delete files (`aster_read_file`, `aster_write_file`, `aster_delete_file`), access SMS messages (`aster_read_sms`, `aster_send_sms`), get GPS location (`aster_get_location`), control the clipboard (`aster_get_clipboard`, `aster_set_clipboard`), and initiate phone calls (`aster_make_call`). While these capabilities are openly declared and align with the stated purpose of an 'AI CoPilot on Mobile', they pose significant security and privacy risks if the skill or the AI agent using it is compromised. The `SKILL.md` file details these high-risk tools and the forwarding of sensitive data (like SMS content and notifications) to the AI agent via webhooks.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled broadly, an agent could send texts, place calls, tap through apps, or modify/delete accessible files.
The skill exposes tools that can mutate phone state, communicate externally, automate the UI, and change/delete files. The artifacts do not describe per-action approval or tight scoping for these high-impact operations.
`aster_send_sms` - Send an SMS text message ... `aster_make_call` - Initiate phone call ... `aster_write_file` ... `aster_delete_file` ... `aster_input_gesture` - Tap, swipe, long press
Use only with explicit human confirmation for calls, SMS, file deletion, app interactions, and other irreversible actions; prefer a spare device or restricted profile.
A malicious SMS, chat message, or notification could try to inject instructions into the agent’s context.
Notification or message text from the phone is packed into a field that the AI reads and can wake the agent immediately. The artifact does not describe treating that content as untrusted data.
Events are sent as HTTP POST ... The AI reads the `message` field ... `[data-text] Hey, are you free tonight?` ... `wakeMode`: `now`
Treat callback content as untrusted, delimit it clearly, filter event sources, and require confirmation before taking actions based on incoming notifications or messages.
Private notifications, message contents, device identifiers, and app metadata could be delivered to an agent endpoint, and an exposed webhook could be spoofed if not protected.
Sensitive phone event data can be sent to an agent webhook. The artifact says this is configurable, but does not show authentication, signature validation, filtering, or endpoint exposure limits for the webhook.
Aster can push real-time events from the phone to your AI agent via webhook ... Example ... `[device_id]` ... `[data-package]` ... `[data-title] John` ... `[data-text] Hey, are you free tonight?`
Keep callbacks disabled unless needed, use authenticated/private endpoints, restrict event types and apps, and avoid exposing the webhook publicly.
Photo/video metadata and search context may reveal locations, times, and personal media details to the agent.
The skill can index/search private media metadata, including potentially sensitive EXIF data. The artifact does not clearly bound paths, retention, exclusions, or reuse of indexed media context.
`aster_index_media_metadata` - Extract photo/video EXIF metadata ... `aster_search_media` - Search photos/videos with natural language queries
Limit media indexing to selected folders or a spare device, review retention settings, and avoid indexing sensitive personal media unless necessary.
The agent may see private messages, notifications, and location data from the connected phone.
These privileged Android data sources are disclosed and align with the device-control purpose, but they are highly sensitive and should be granted deliberately.
`aster_read_notifications` - Read notifications ... `aster_read_sms` - Read SMS messages ... `aster_get_location` - Get GPS location
Review Android permissions carefully, use the minimum needed permissions, and consider using a dedicated device rather than a primary personal phone.
You must trust the upstream npm package and Android release artifacts, not just this SKILL.md file.
The setup depends on an external global npm package and Android release APK. That is expected for this integration, but the provided skill artifact does not include the runnable code or a pinned install specification.
npm install -g aster-mcp aster start ... Install the Aster Android app ... from Releases
Inspect the upstream repository, pin versions where possible, verify release provenance, and install only from trusted sources.