ClawHub
Back to skill
v1.0.0

Native App Performance

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:43 AM.

Analysis

This skill is coherent for local macOS/iOS performance profiling and shows no evidence of exfiltration, persistence, credential use, or hidden behavior.

GuidanceThis appears safe to use for its stated purpose. Before using it, confirm you are profiling the intended app or process, keep trace outputs in an appropriate local location, and remember that trace files and symbolication output can reveal internal function names and performance details.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/record_time_profiler.sh
xcrun xctrace record --template 'Time Profiler' --time-limit "$duration" \
    --output "$trace_path" --attach "$attach_pid"

The wrapper can attach Time Profiler to a user-specified local process, and can also launch a user-specified binary. This is expected for the skill, but profiling the wrong target can capture unintended process performance data.

User impactIf used on the wrong PID or binary, the resulting trace may expose stack frames, symbols, and performance details from an unintended local app.
RecommendationOnly run it for the intended process or app, confirm PID/binary/output path/duration first, and avoid profiling unrelated or sensitive processes unless that is the explicit task.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Required binaries (all must exist): none
Required binaries (at least one): none
No install spec — this is an instruction-only skill.

The workflow and scripts rely on local developer tools such as xcrun/xctrace, otool, vmmap, and rg, but the registry requirements do not declare them. This is an under-declared dependency note, not hidden install behavior.

User impactThe skill may fail or behave unexpectedly on systems without the expected Apple developer command-line tools, and users may not realize those tools are prerequisites from the metadata alone.
RecommendationVerify that the needed local tools are installed from trusted sources, preferably Apple Xcode Command Line Tools, before using the skill.