Skillv1.0.0

ClawScan security

Clawd Cursor 0.6.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 2, 2026, 2:24 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a desktop automation agent, but there are inconsistencies and a few risky instructions (starting a background server without asking, undeclared dependency on git/npm, and implicit use of the agent's AI API key for screenshot processing) that warrant caution.
Guidance: This skill looks like a legitimate desktop automation agent, but review the following before installing: - Undeclared requirements: SKILL.md requires git, node/npm, and npx but the registry metadata did not list these; installation will clone a GitHub repo and run npm install/build/start (which downloads and executes third-party packages). - Credential usage: the skill inherits your agent's AI provider/API key and will send screenshots/text to that provider if you select a cloud model. If you want to avoid cloud data leakage, use a local provider (Ollama) or withhold the API key. - Autonomy and persistence: the agent is instructed to start a background server (127.0.0.1:3847) and told to do so without asking the user in some cases — that gives the skill a persistent foothold that can capture screen contents and automate UI actions. Recommended precautions: inspect the referenced GitHub repository (https://github.com/AmrDab/clawd-cursor) before running; run the software in a sandbox or VM first; prefer a local model provider (Ollama) if you must use it; and only enable this skill for users who explicitly consent to screen capture and background services. If you are uncomfortable with npm install / running a background server or with cloud-based screenshot processing, do not install.

Review Dimensions

Purpose & Capability: concernThe name/description (desktop UI automation) aligns with the SKILL.md runtime instructions (clone repo, build, run a local REST API that controls the desktop). However the registry metadata lists no required binaries or env vars while SKILL.md's install steps require git, npm/node, and npx — an undeclared dependency mismatch. That omission is incoherent and should have been declared.
Instruction Scope: concernInstructions direct the agent to clone, build, and start a local Node-based server bound to 127.0.0.1 and to control screenshots and GUI actions. Two notable scope issues: (1) the SKILL.md explicitly tells the agent to start the server itself if connection is refused and to 'don't ask the user' when starting it, which grants the agent autonomy to run background processes without explicit user confirmation; (2) the skill will take screenshots and (depending on the configured AI provider) send them to that provider's API — SKILL.md states this, but this is sensitive behavior and the instructions give the agent operational latitude that could expose private data.
Install Mechanism: noteInstall steps clone a GitHub repository and run npm install/build/start. GitHub is a reasonable source, but npm install pulls third-party packages which is moderate risk because it executes remote code during build/run. No obscure download URLs are used, but the install process is still substantial (writing to disk, installing dependencies, running a server).
Credentials: concernThe skill declares no required environment variables, yet notes that in OpenClaw it inherits the active agent's AI provider and API key. In effect the skill will use the agent's model API credentials to process screenshots/text. That credential use is plausible for the stated purpose, but it is not declared up-front in required env fields and it grants the skill the ability to send potentially sensitive screenshots to a cloud provider (unless the user selects a local provider like Ollama).
Persistence & Privilege: concernThe skill does not set always: true (good), but it instructs the agent to start and keep a local background server (npm start / node dist/index.js) and to operate it without asking the user in some cases. Running a persistent local server that can capture the screen and perform UI actions increases blast radius; starting it without an explicit user prompt is a notable privilege escalation compared with a purely ephemeral tool.