ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MacPowerTools

v1.0.9

Safe local Mac optimization toolkit for OpenClaw agents on Apple Silicon. 1-trillion agent swarm simulation, local CoreML resource forecasting, safe cleanup...

0· 1.1k·10 current·11 all-time
byKrishna Aditya@aadipapp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (local Mac optimization, local CoreML forecasting, LAN discovery) aligns with code that performs local simulations, a CoreML-style forecast, and an mDNS scan. However SKILL.md claims python>=3.10 and numpy as a requirement while the registry metadata lists no requirements; the script handles a missing numpy by returning an error. Also the SKILL.md and file comments claim full original cleanup/backup logic is present, but the provided power_tools.py appears to omit concrete handlers for many commands (placeholders/comments instead). These mismatches reduce confidence that the packaged code matches the advertised capability.
!
Instruction Scope
SKILL.md instructs a one-line install and claims '100% local, zero internet, zero sudo, zero persistence.' The code does run only local commands (dns-sd), prints share text (encouraging posting to Moltbook/other discovery), and does not perform remote network calls. But it creates persistent directories and files under the user's home (~/.logs and ~/.config/macpowertools and a learning.json file) — contradicting the 'no persistence' statement. The script also spawns subprocesses (dns-sd) and writes logs/history; instructions do not warn about this on-disk state.
Install Mechanism
There is no install spec (instruction-only skill) which is low risk for supply-chain installs. SKILL.md metadata lists a PyPI dependency (numpy), but no automated install step is provided; the script handles numpy absence gracefully. This means the environment must already satisfy dependencies or the swarm-simulation feature will be disabled.
Credentials
The skill requests no environment variables or system credentials, which is appropriate for the stated purpose. However it does create and write to hidden directories in the user's home (persistent logs and a learning.json history). That is reasonable for a local tool but contradicts the 'no persistence' claim and should be disclosed to users.
!
Persistence & Privilege
always:false (normal). The code nonetheless creates persistent files under the user's home (~/.logs and ~/.config/macpowertools) and maintains a history file. SKILL.md explicitly claims 'no persistence', so the actual behavior is inconsistent and could surprise users. The skill does not request elevated privileges, but it does assert discoverability and prints share text for posting elsewhere.
What to consider before installing
This skill mostly does local tasks, but there are several things to verify before installing: (1) SKILL.md repeatedly claims 'no persistence', yet the code creates ~/.logs and ~/.config/macpowertools and writes a learning.json — expect local on-disk traces. (2) SKILL.md metadata and registry metadata disagree about Python/numpy requirements and version numbers; confirm whether numpy will be installed or required. (3) The file contains comments claiming original cleanup/backup handlers are 'preserved', but the provided code appears to have placeholders rather than full implementations — ask the author for the full source or inspect the shipped file yourself. (4) The script runs dns-sd for LAN discovery (mDNS) — this is LAN-only but will enumerate local services; make sure you are comfortable with a skill doing local network discovery. If you decide to proceed, review the exact power_tools.py file that will be installed (search for any hidden network calls, unexpected file writes, or code executed for cleanup/backup) and confirm the author/registry identity and version alignment. If you need higher assurance, request a signed release or an install that clearly documents the files the skill will create and their purposes.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cx5jpsr9wdbh4t305jnwy7982nbe5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSmacOS

Comments