Skillv0.1.0

ClawScan security

iClick Automation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 7:39 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated iOS automation purpose, but there are inconsistencies and privacy/safety gaps (bundled server code executed locally, undeclared filesystem usage, unknown source) that warrant caution before installation.
Guidance: What to consider before installing: - Source and provenance: the skill has no homepage and an unknown owner. Prefer skills with a clear upstream repo or vendor and a reviewable origin. - Local code execution: installing this skill will run a bundled Node server (server.js) when invoked. Review server.js and util/iclick.js to see which network endpoints it contacts, whether it listens on local/remote ports, and whether it logs or transmits device data externally. - Sensitive data access: the skill returns device IPs, names and screenshots and can delete or save media on devices. Only use it in a trusted, isolated environment and avoid giving it access to sensitive devices or networks until you audit the code. - Filesystem paths: the SKILL.md instructs moving temporary screenshots into ~/.openclaw/workspace — that path was not declared in metadata. Expect the skill to read/write local files; run it in a sandbox or container. - Testing recommendations: run the skill in an isolated VM/container with no network access first, inspect network activity (outbound connections), and search server.js for remote hostnames/URLs and for any use of child_process or direct network sockets. - If you cannot audit the server.js source or host the code yourself, consider declining or requesting the author provide a trusted upstream (GitHub repo, official vendor) and a rationale for bundling the node_modules. I have medium confidence because the manifest and SKILL.md are available and getScreenShot implementation is visible, but the full server.js and util/iclick.js code (entrypoint behaviours and any external endpoints) were not fully shown in the scanned summary — reviewing those files would raise confidence either way.
Findings: [pre-scan-none-detected] expected: The provided static pre-scan reported no injection signatures. That does not imply safety: the package bundles executable server.js and many node modules which can perform network and filesystem operations; absence of regex findings is not sufficient to rule out misuse.

Review Dimensions

Purpose & Capability: noteName/description (iClick iOS automation) align with the bundled code: there is a local Node server (server.js), an iclick-auto dependency, and many CLI helpers for device control. However the registry metadata claims 'No install spec / instruction-only' while the package contains 87 files including node_modules and a server entrypoint — that mismatch is unexpected and should be explained by the author.
Instruction Scope: concernSKILL.md instructs the agent to run the bundled Node server (node {baseDir}/server.js ...) which will execute code included in the skill. It also instructs moving screenshots into ~/.openclaw/workspace and then sending them (and deleting afterward). Those filesystem operations reference a specific host path that is not declared in the skill metadata (required config paths is empty). The instructions therefore require the agent to access local filesystem and to handle potentially sensitive device data (IP, deviceName, screenshots).
Install Mechanism: okNo external install spec or remote download is used; all required code is bundled with the skill. That reduces the risk of fetching arbitrary remote code. The package includes standard npm modules (ws, yargs, etc.) and an iclick-auto package which is expected for this functionality.
Credentials: concernThe skill declares no required environment variables or credentials, which is consistent with running a local Node server. However the skill exposes and returns sensitive device data (IP addresses, device names, screenshots) and provides device file deletion and file-transfer capabilities (saveMediaFile, delMediaFile, clearMediaFile). The SKILL.md claims 'do not proactively leak' such data, but the API semantics inherently surface these sensitive items — the skill does not declare or restrict access to them in metadata (no required config paths or disclaimers).
Persistence & Privilege: okSkill flags are normal: always:false and disable-model-invocation:false (normal autonomous invocation is allowed). The skill does not request to persist itself across agents or to modify other skills' configs in the manifest. No elevated platform-wide privileges are declared.