Back to skill
Skillv1.0.0
ClawScan security
Openhue · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 8:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions line up with its stated purpose (controlling Philips Hue via the OpenHue CLI); nothing requests unrelated credentials or risky installs.
- Guidance
- This skill is narrowly focused and appears coherent: it expects the openhue CLI and uses it to talk to a local Philips Hue Bridge. Before installing, verify the Homebrew formula/tap (openhue/cli) is legitimate and maintained, ensure you want the agent to be able to invoke local CLI commands that access your LAN, and only install the CLI on machines you trust. If you run on a platform without Homebrew, confirm an appropriate install path. If you need higher assurance, inspect the openhue project repository/release artifacts before installing.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the SKILL.md tells the agent to use the openhue CLI to discover/setup a Hue Bridge and get/set lights/scenes. The declared binary (openhue) and the brew install in the SKILL.md metadata are appropriate for this purpose.
- Instruction Scope
- okInstructions are narrowly scoped to running openhue commands (discover, setup, get, set). They do not ask the agent to read unrelated files, environment variables, or send data to third-party endpoints. The only external interaction implied is local network access to a Hue Bridge and the user action of pressing the bridge button during setup.
- Install Mechanism
- noteThere is no platform-level install spec in the registry, but the SKILL.md metadata includes a brew formula (openhue/cli/openhue-cli) which is a normal, expected install path. This is low-risk compared with arbitrary downloads, but note brew is platform-specific (macOS/Linux with Homebrew). Verify the tap/formula provenance before installing.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. That is proportionate for a local-bridge control CLI which uses local network discovery and bridge-approved setup (pressing the bridge button).
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide changes or access to other skills' configs. It simply instructs usage of a local CLI — no elevated or unexpected privileges are requested.