Skillv1.0.0

ClawScan security

Apple Serial Lookup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:19 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it performs local decoding of legacy Apple serial formats and uses web lookups for newer/randomized serials, requests no secrets, and has no install steps.
Guidance: This skill appears to do what it says: it decodes old-format Apple serials locally and uses web searches/fetches for anything it cannot decode. Before installing, consider: (1) web lookups may send serial numbers to third-party sites (EveryMac and community sites) and may trigger captchas that the skill suggests bypassing with a browser tool — only provide serials you are comfortable sharing with those sites; (2) randomized post‑2021 serials cannot be decoded locally and require Apple’s checkcoverage (which involves a captcha and the official Apple site); (3) the local model-code database is compiled from community sources and may be incomplete or slightly inaccurate — treat results as best-effort; (4) no credentials are requested, so you should never need to provide Apple account data or API keys to use this skill. Minor note for maintainers: the decoder contains a duplicate dictionary key for 'D2' in LOCATIONS (a benign bug that affects lookup determinism for that key) but this is not a security issue.

Review Dimensions

Purpose & Capability: okName/description match the implementation: the included Python decoder and model-code references support local decoding of old-format serials, and SKILL.md explicitly instructs web lookups for unknown/new randomized serials. Nothing requested (no env vars, no binaries) is out of scope for a serial-lookup utility.
Instruction Scope: noteRuntime instructions are narrowly scoped to (1) running the bundled decoder and (2) performing web searches/fetches against EveryMac and fallback sites, plus using Apple Check Coverage for randomized serials. Note: the SKILL.md suggests using browser automation when pages present captchas — that means the agent may use a browsing/web-fetch tool and will send serials to third-party sites; this is expected for the stated purpose but worth being aware of from a privacy perspective.
Install Mechanism: okNo install spec is provided and the skill is primarily instruction + a small local decoder script. Nothing is downloaded or executed from external URLs during install.
Credentials: okThe skill requests no environment variables or credentials. That is proportional to its stated purpose (serial decoding + web lookups). It does not ask for Apple account credentials, API keys, or other secrets.
Persistence & Privilege: okalways is false and there are no requests to modify agent/system configuration or to persist credentials. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.