Skillv1.0.1

ClawScan security

soarm-control · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 11:42 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions broadly match a SOARM robot-control purpose, but there are notable inconsistencies and missing dependency/install guidance that make the package risky or likely to fail if installed as-is.
Guidance: This skill appears to implement a local SOARM robot controller (Flask API, IK, vision). Before installing: 1) Do not run the server unless you are on the machine that actually hosts the robot and camera; the code will attempt to open /dev/ttyACM0 and camera devices and will move hardware. 2) Verify the missing files referenced in SKILL.md (references/so101_new_calib.urdf and the YOLO weights 'best.pt')—they are referenced but not present in the manifest; ask the publisher where to obtain them. 3) Prepare an isolated test environment (separate machine or network) and a conda env named 'lerobot' or update start_server.sh to point to your conda; dependencies (pinocchio, ultralytics, opencv, lerobot package) must be installed manually. 4) Inspect the full soarm_api.py (the provided copy was truncated) to ensure no unexpected network endpoints or hidden behavior; confirm YOLO/model loading uses local files only. 5) If you need higher assurance, request from the publisher: (a) a complete dependency/install script, (b) the referenced URDF and model files or their trusted sources, and (c) the full untruncated source of soarm_api.py. Given missing files and lack of install guidance, treat this package as potentially unreliable or unsafe to run on production hardware until those gaps are resolved.

Review Dimensions

Purpose & Capability: okName/description align with included code: the repository provides a local Flask API, joint/X/Y/Z motion scripts, IK via Pinocchio, and a YOLO-based detection routine. The functionality (robot control + vision) is coherent with the stated purpose.
Instruction Scope: concernSKILL.md instructs running a local server and curling endpoints on http://127.0.0.1:8000 which matches the included soarm_api.py. However the README references additional files (references/so101_new_calib.urdf and a YOLO model 'best.pt' inside scripts) that are not present in the file manifest; the SKILL.md also leaves 'prepare lerobot env' vague. The API and scripts access local hardware (serial device /dev/ttyACM0 and a camera), so running this skill will operate hardware and camera—expected for a robot-control skill but high-impact. The instructions do not document dependency installation or how model/URDF files are supplied.
Install Mechanism: concernNo install spec is provided (instruction-only), but start_server.sh requires conda and a 'lerobot' conda environment. The code depends on heavy native and Python packages (pinocchio, OpenCV, ultralytics/YOLO, numpy). There is no automated install, no pinned package list, and no guidance for obtaining model weights/URDF; this mismatch increases the chance of runtime failures or manual misconfiguration.
Credentials: okThe skill does not request secrets or unrelated credentials. start_server.sh uses environment variables for configuration (SOARM_API_HOST/PORT, SOARM_PORT, LEROBOT_ROOT, CONDA_BIN) which are reasonable for a local hardware-control tool. No suspicious credential exfiltration is present in the visible code.
Persistence & Privilege: okFlags show always:false and normal autonomous invocation. The skill does not request forced inclusion or claim to modify other skills or system-wide configuration. No persistence escalation observed.