ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mobilerun

v1.0.0

Control real Android phones through the Mobilerun API. Supports tapping, swiping, typing, taking screenshots, reading the UI accessibility tree, and managing...

1· 168·0 current·0 all-time
by@mariozada
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the declared requirement (single API key MOBILERUN_API_KEY) and the runtime instructions focus on the Mobilerun REST API for screenshots, UI tree, taps, swipes, typing, and task submission. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope
SKILL.md and the included docs specify exactly which API endpoints to call, how to probe device state, and how to behave (observe-act loop). It explicitly warns about not sharing screenshots or the API key and limits which device fields to surface to users. The only broader instructions relate to installing the Portal APK and enabling Accessibility on the phone — these are necessary for the described functionality, and the docs explain them.
Install Mechanism
This is instruction-only with no install spec and no code files. That is the lowest-risk install model; nothing is downloaded or written by the skill itself.
Credentials
The skill requires a single credential (MOBILERUN_API_KEY) which is directly relevant and declared as the primary credential. No other secrets, unrelated tokens, or config paths are requested.
Persistence & Privilege
The skill is not forced always-on (always:false), requests no system-wide changes, and does not modify other skills' configurations. It can be invoked autonomously by the agent (default), which is normal for skills; this autonomy is not combined with other concerning factors.
Assessment
This skill appears internally consistent with its purpose. Before installing, note: (1) the MOBILERUN_API_KEY grants programmatic control of devices on the associated Mobilerun account — treat it like a password and do not paste it into chat; (2) screenshots and the UI tree can contain sensitive personal data, and the skill's docs explicitly warn not to transmit them beyond the user — follow that guidance; (3) enabling Android Accessibility and installing the Portal APK are required for controlling a personal phone and are powerful permissions — only install the Portal APK from the official source (the doc points to a GitHub releases page) and ensure you trust the Mobilerun service; and (4) using cloud/device tasks may incur billing/credits per the subscription doc. If you want extra caution, only allow user-invoked runs (avoid persistent automation) and avoid sending sensitive inputs (passwords, 2FA codes) through screenshots or the UI tree.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dzxa3zz6hknngavert4dz89833f8p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📱 Clawdis
EnvMOBILERUN_API_KEY
Primary envMOBILERUN_API_KEY

Comments