Back to skill
Skillv1.0.4
ClawScan security
IATerm WebSocket Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 8:18 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is a local WebSocket client for controlling IATerm terminals and its files and instructions match that purpose, but there are some metadata and UX mismatches you should be aware of before installing.
- Guidance
- This skill appears to do what it says: a local WebSocket client for IATerm. Before installing: (1) confirm the host application will set IATERM_SESSION_ID (do not generate it yourself); (2) be cautious about enabling --auto-approve or choosing 'always' during approval prompts because that removes interactive safeguards; (3) note the skill will create ~/.cache/iaterm-ws-client/ws_token.json and approval.json (0600) — inspect these if you need to revoke access; (4) the package metadata does not list the required IATERM_SESSION_ID env var, so prefer to inspect the included scripts (ws_client.py) yourself and confirm there are no additional unexpected behaviors before granting the agent autonomous invocation.
Review Dimensions
- Purpose & Capability
- noteName/description, SKILL.md, and the included Python client all describe a local WebSocket client for IATerm (ws://127.0.0.1:19790/ws). The requested capabilities match the stated purpose. Minor inconsistency: SKILL metadata declared 'Required env vars: none' but the client requires IATERM_SESSION_ID (documented as required).
- Instruction Scope
- okSKILL.md confines actions to connecting to a local WebSocket API, prompting the user for approval for sensitive operations, and caching tokens/approvals under the user's XDG cache. It does not instruct reading unrelated system files or exfiltrating data to external hosts. It does instruct using a particular script path resolution (find under ~/.opc/skills) which is brittle but not malicious.
- Install Mechanism
- okThere is no install spec and no downloads; the skill is distributed as source (ws_client.py) and instructions tell you to pip install a single dependency ('websockets'). This is low risk compared to remote downloads or executing arbitrary installers.
- Credentials
- noteThe client legitimately requires IATERM_SESSION_ID (and optionally IATERM_WS_PORT/XDG_CACHE_HOME). The skill metadata omitted declaring IATERM_SESSION_ID as required — this mismatch should be fixed. The only files written are token/approval cache files in ~/.cache/iaterm-ws-client with 0600 permissions.
- Persistence & Privilege
- noteThe skill does not request 'always' or system-wide privileges. It writes per-user cache/approval files and can be run autonomously by the agent (normal default). Important: the CLI offers --auto-approve and persistent 'always' approvals stored in approval.json; enabling those reduces the interactive confirmation gate and increases the impact if the agent is misused.