iClick Automation

What to consider before installing: - Source and provenance: the skill has no homepage and an unknown owner. Prefer skills with a clear upstream repo or vendor and a reviewable origin. - Local code execution: installing this skill will run a bundled Node server (server.js) when invoked. Review server.js and util/iclick.js to see which network endpoints it contacts, whether it listens on local/remote ports, and whether it logs or transmits device data externally. - Sensitive data access: the skill returns device IPs, names and screenshots and can delete or save media on devices. Only use it in a trusted, isolated environment and avoid giving it access to sensitive devices or networks until you audit the code. - Filesystem paths: the SKILL.md instructs moving temporary screenshots into ~/.openclaw/workspace — that path was not declared in metadata. Expect the skill to read/write local files; run it in a sandbox or container. - Testing recommendations: run the skill in an isolated VM/container with no network access first, inspect network activity (outbound connections), and search server.js for remote hostnames/URLs and for any use of child_process or direct network sockets. - If you cannot audit the server.js source or host the code yourself, consider declining or requesting the author provide a trusted upstream (GitHub repo, official vendor) and a rationale for bundling the node_modules. I have medium confidence because the manifest and SKILL.md are available and getScreenShot implementation is visible, but the full server.js and util/iclick.js code (entrypoint behaviours and any external endpoints) were not fully shown in the scanned summary — reviewing those files would raise confidence either way.