Skillv1.0.0

ClawScan security

Blucli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:20 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it claims (control BluOS devices) and its install comes from a GitHub Go module, but there are small metadata inconsistencies and an undeclared environment variable reference that should be clarified before install.
Guidance: This skill appears to be a thin wrapper that expects the 'blu' CLI. Before installing, verify the GitHub repo (github.com/steipete/blucli) to ensure you trust the code you're allowing to be compiled/run. Ask the publisher to fix the metadata mismatch (the registry listing should declare the 'blu' binary and the Go install step), and to explicitly declare BLU_DEVICE in requires.env if the skill will read that environment variable. If you proceed, prefer installing the blu CLI yourself from the upstream repo (or inspect its source) rather than relying on an automatic install step.

Review Dimensions

Purpose & Capability: noteSKILL.md and metadata clearly target the 'blu' CLI (BluOS control) and the included install step installs that CLI via a Go module on GitHub — this matches the description. However, the registry metadata at the top of the report lists no required binaries or install spec while the SKILL.md declares 'bins:["blu"]' and an install entry; that mismatch is an internal inconsistency.
Instruction Scope: noteRuntime instructions are limited to invoking the 'blu' CLI for device discovery, playback, grouping, and volume. They do not request unrelated files or network endpoints. The SKILL.md does reference the BLU_DEVICE environment variable as a target-selection mechanism, but BLU_DEVICE is not declared in the skill's required env list — this should be declared or the instructions clarified.
Install Mechanism: noteThe install instruction embedded in SKILL.md uses a Go module from github.com/steipete/blucli — a public GitHub path, which is a reasonable and expected source for a CLI. This is moderate risk (it will compile/run code from the repository). The registry-level metadata presented earlier claimed 'No install spec', so the presence of an install entry only in SKILL.md is an inconsistency to be aware of.
Credentials: okNo required secrets or high-privilege environment variables are declared. The only env var mentioned in the instructions is BLU_DEVICE (for selecting a target device), which is proportional to the skill's purpose but should be declared explicitly in requires.env so users know what the skill may read.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only; it does not request elevated or persistent platform privileges. Autonomous invocation is allowed (default), which is normal — no additional persistence or cross-skill config writes are indicated.