SidecarOneStep
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: sidecar-onestep Version: 1.4.1 The skill bundle is a legitimate integration for SidecarOneStep, a macOS utility for managing iPad Sidecar connections. The provided files (SKILL.md, clawhub.json) describe standard functionality for device management, including connecting/disconnecting displays and starting a local HTTP control server, all of which align with the tool's stated purpose. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found in the code or instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill effectively relies on trusting the SidecarOneStep app downloaded from GitHub.
The skill asks the user to download an external macOS app and configure that app executable as an MCP server. This is central to the skill's purpose, but it means trust depends on the downloaded app and release source.
"url": "https://github.com/yi-nology/sidecarOneStep/releases/latest" ... "mcporter config add sidecar-onestep --command /Applications/SidecarOneStep.app/Contents/MacOS/SidecarOneStep --args mcp"
Download only from the official project links, verify the app/version/code-signing where possible, and keep it updated.
An agent using the skill can connect or disconnect an iPad display, change virtual display settings, and start or stop the Sidecar control server when instructed.
The exposed MCP tools can change local display/device state and start a control server. These capabilities match the Sidecar automation purpose, but they are real local-control actions.
`connect_device_async`, `disconnect_device`, `start_http_server`, `set_virtual_display_size`, `enable_virtual_display`, `disable_virtual_display`
Use the skill for explicit Sidecar tasks and review prompts that would change display state or start remote control.
If the HTTP control server is started, Sidecar control may become available through a local web interface.
The skill documents an HTTP web console for remote control, but the visible artifact does not describe binding, authentication, or network access limits. This is purpose-aligned but worth noticing.
"Remote Control" - Web console for controlling Sidecar from your phone ... `start_http_server port=8765`
Start the web console only when needed, prefer trusted networks, and check the SidecarOneStep app settings for access controls.