Skillv1.0.2

ClawScan security

Omniscient · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 10, 2026, 6:52 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description matches the included scripts (it truly can control many local devices and run generated code), but it is extremely broad in scope, performs potentially sensitive local operations (camera/microphone/serial/network/GPU/disk/PowerShell), auto-installs Python packages at runtime, and its SKILL.md promises safety/confirmation guarantees that are not verifiably enforced — review and sandbox before use.
Guidance: This skill bundles many powerful local-control scripts (camera, microphone, GUI automation, serial, Bluetooth, GPU, disk, PowerShell/registry edits, etc.). Although the scripts implement what the README claims (so the package is internally coherent), it can: 1) access/modify hardware and system state, 2) record audio and capture photos, 3) run PowerShell/shell commands and change registry or power plans, and 4) auto-install Python packages from PyPI at runtime. Before installing: - Only install if you fully trust the author or are prepared to audit the code. - Run it in an isolated environment (VM, disposable account, or sandbox) first. - Review the bundled scripts (the ones listed) for any network callbacks, hardcoded endpoints, or unreachable/obfuscated code (some files were truncated in the manifest; review those too). - Prefer explicit, interactive confirmation before allowing any camera/microphone/registry/disk-modifying operations. - If you need limited functionality, ask for a smaller skill scoped only to the required subsystem (e.g., 'camera-only' or 'audio-only'). If you want, I can: 1) scan the remaining omitted files for risky patterns, 2) list exact places where the scripts auto-install packages, or 3) produce specific steps to sandbox and test this skill safely.

Review Dimensions

Purpose & Capability: noteThe name/description (full-system control, cognition+execution+control) aligns with the shipped Python controller scripts which cover audio, camera, bluetooth, serial, GPU, storage, network, GUI automation, etc. The requested metadata (no env vars, no binaries) is coherent because the skill operates locally via bundled scripts.
Instruction Scope: concernSKILL.md instructs the agent to automatically route arbitrary tasks to system-control scripts and states it 'applies to any task, no exceptions.' That grants broad discretion. The runtime instructions rely on launching many local actions (PowerShell, shell commands, hardware access). The doc claims high-risk operations require user confirmation but I cannot verify enforcement in the instructions; the scripts do perform sensitive actions (camera capture, microphone recording, registry edits, executing PowerShell commands).
Install Mechanism: noteNo external install spec (lower risk) and all code is bundled. However multiple controller scripts auto-install dependencies at runtime via pip (pycaw, sounddevice, opencv, bleak, psutil, etc.), which implies network access to PyPI and dynamic package execution — this increases runtime attack surface and supply-chain risk.
Credentials: noteThe skill requests no environment variables or external credentials, which is proportionate to local device control. Nevertheless, the skill exercises wide access to local subsystems (files, devices, PowerShell, registry) without declaring privileged requirements; some operations may require elevated permissions and can affect system state.
Persistence & Privilege: concernalways:false (good) but model invocation is enabled (normal). The combination of autonomous invocation capability and extremely broad local control increases blast radius: if the agent invokes the skill without careful confirmation, it could perform many sensitive actions. SKILL.md claims safety gating, but that gating is a policy statement in text, not an enforced technical control visible in the package.