Skillv3.0.0

ClawScan security

Android GUI Automation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 10:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it claims (Android UI automation), but it omits/doesn't declare required environment variables and exposes powerful device-level operations (shell, file pull/push, logs, clipboard, screenshots) that could be used to read or exfiltrate sensitive data — review before installing or running.
Guidance: What to consider before installing: - The code does what it says: it can fully control an Android device (clicks, swipes, screenshots, UI dumps, file transfer, run shell). Those are powerful capabilities that can access personal data (notifications, clipboard, app UI, files, logs). - Metadata omission: the package metadata does NOT declare environment variables, but the scripts expect ANDROID_DEVICE (device address) and optional TG_BOT_TOKEN / TG_CHAT_ID (Telegram credentials) and other env vars. Expect to provide secrets for notifications; treat those tokens like any API secret. - If you plan to run this: run it on a disposable or test device (not your primary phone) until you audit it. Only install dependencies from official sources (PyPI/GitHub) and review uiautomator2-mcp upstream. - Limit network exposure: the SKILL.md shows usage via SSH to a phone IP and starts a server that listens for JSON-RPC over stdio/SSH; ensure SSH and MCP server are only reachable from trusted hosts and networks. - Review and restrict what you automate: automated posting, clipboard access, logcat reading, and shell/pull_file operations can leak private info. Do not run with agent-autonomy enabled unless you trust the code and network environment. - If you need to proceed: add the missing env var declarations in your runtime config, rotate any bot tokens after testing, and consider requiring manual confirmation for any operation that pulls files or runs shell commands on the phone. - If you are unsure: ask the author for provenance (homepage/source), or prefer an implementation from a well-known repository or vendor with clearer metadata and declared secrets.

Review Dimensions

Purpose & Capability: noteName/description match the included code and instructions: the scripts and MCP server implement uiautomator2-based automation, price monitoring, posting, screenshots, and scheduling as claimed. Access to clipboard, logs, file push/pull, and shell on the phone is coherent with a phone-automation skill, though these are high-privilege actions on a device and should be expected and handled cautiously.
Instruction Scope: concernSKILL.md and included scripts instruct the user to install Python packages and run an MCP server, start SSH connections to a phone IP, and run cron jobs. The runtime code (examples and scripts) uses subprocess to SSH to a phone, calls uiautomator2 to dump UI XML, capture screenshots (including base64), read clipboard, read logcat, and run shell commands on the device. The instructions do not declare or call out all environment variables that the scripts actually use (see environment_proportionality). Because the agent (or user) can request screenshots, XML dumps, clipboard, files, and run shell commands on the phone, the instruction scope includes potentially sensitive data access and transmission.
Install Mechanism: okThis is instruction-only / code-bundle with no automated install spec. The SKILL.md instructs manual pip/pkg installation of commonly used Python packages (uiautomator2, pillow, requests, schedule). No remote arbitrary binary downloads or obscure URLs are present in the provided materials; installation is manual via package managers, which is reasonable for Termux-based Python scripts.
Credentials: concernRegistry metadata lists no required env vars, but the code references multiple environment variables (ANDROID_DEVICE / DEVICE_IP, TG_BOT_TOKEN, TG_CHAT_ID, PRODUCT/TARGET_PRICE in taobao monitor, etc.). Secrets like TG_BOT_TOKEN / TG_CHAT_ID (Telegram bot token and chat id) and device address/credentials are required for typical operation but are not declared in the skill metadata. The omission is an incoherence and increases risk because an installer may not realize sensitive tokens are needed or used. The number and sensitivity of env vars is proportionate to the feature set, but they should be declared explicitly.
Persistence & Privilege: noteThe skill does not request always:true and does not modify other skills. It can be invoked autonomously by the agent (platform default). Combined with the device-level capabilities (file transfer, shell, clipboard, logs) this raises practical risk if the skill is allowed to run without human oversight, but the skill itself does not request elevated platform privileges.