Skillv1.0.0

ClawScan security

Linux System Controller · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 5, 2026, 8:36 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill implements broad Linux control that matches its description, but the runtime instructions promise safety checks that are not enforced in the code and it auto-installs packages and can perform destructive/network actions and arbitrary HTTP requests — these mismatches and powerful capabilities warrant caution.
Guidance: This skill provides wide-ranging control of a Linux desktop and devices (processes, network adapters, shutdown/restart, USB/serial, GUI automation, and arbitrary HTTP calls). That capability is consistent with its name, but note two practical risks: (1) SKILL.md says the agent must confirm destructive actions, yet the scripts themselves do not require or enforce explicit confirmations — an agent could run destructive commands if instructed. (2) The scripts install pip packages at runtime and suggest apt-get installs (which may need sudo), and the IoT/http modules can call any URL you provide (so a malicious prompt could be used to send data out). Before installing: review the source files yourself or run the skill in a disposable VM; disable autonomous invocation or require manual approval for any actions that change system state; avoid providing long-lived tokens unless you trust the source; and prefer running these scripts under a restricted account or container to limit potential damage.

Review Dimensions

Purpose & Capability: okName/description align with the provided scripts: window/process/hardware/serial/IoT/GUI controllers. The functionality requested (window management, process control, serial comms, IoT HTTP calls, GUI automation) is coherent with the skill purpose and there are no unrelated required environment variables or hidden cloud credentials.
Instruction Scope: concernSKILL.md mandates user confirmation for destructive operations (shutdown, reboot, kill, disable network) and 'list before operate' rules, but the included scripts do not implement or enforce interactive confirmation checks — an agent that invokes these scripts could run destructive commands without programmatic confirmation. The IoT module and generic HTTP functions allow requests to arbitrary endpoints/URLs with arbitrary headers/body (expected for IoT use, but also usable for exfiltration if misused).
Install Mechanism: noteThere is no formal install spec (instruction-only), but SKILL.md and the scripts perform on-demand installation: apt-get is suggested in dependencies and multiple scripts call pip install at runtime. Runtime pip installs and apt-get commands may require elevated privileges or network access; they write to disk and install packages — moderate risk but consistent with a system-control skill.
Credentials: okThe skill declares no required environment variables or credentials. Home Assistant / IoT access is implemented to accept user-provided URLs and tokens at runtime (passed as CLI args), which is proportionate to the stated IoT functionality.
Persistence & Privilege: concernalways:false (good) but the default agent-autonomy (disable-model-invocation:false) plus powerful system-level operations (process kill/start, network enable/disable, power management, GUI automation, arbitrary HTTP) increases the potential blast radius if invoked autonomously. The SKILL.md safety rules rely on agent behavior rather than code-enforced safeguards.