Skillv1.0.0

ClawScan security

HiLink LTE Modem · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 2:23 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's behavior matches a HiLink modem manager, but it performs privileged system/network changes, sources a user config file (allowing arbitrary shell execution), and does not declare required binaries — these mismatches and risks merit caution.
Guidance: This skill does what it says (manage Huawei HiLink modems) but requires elevated network privileges and has two practical risks: (1) it sources ~/.config/hilink/config which will execute any shell code in that file — only use a config that contains simple variable assignments and inspect it before running; (2) the included script expects tools (curl, python3, ip, sudo, ping, grep, sed) that the registry metadata doesn't declare. Before installing: inspect scripts/hilink.sh fully, don't place sensitive credentials/PINs in an unprotected file, run first in an isolated VM or container, and be prepared to review/undo udev and /etc/network changes. If you don't want the script to modify system networking, avoid running the parts that call sudo or require creating udev rules.

Review Dimensions

Purpose & Capability: noteName/description align with the included shell script and the documented HiLink API; the actions (SMS, PIN, signal, network setup) are coherent with a modem-management tool. However, the package metadata declares no required binaries while the script clearly depends on curl, python3, ip, sudo, grep/sed/awk, and ping — a discrepancy to be aware of.
Instruction Scope: concernRuntime instructions and the script direct the agent/user to modify network interfaces, create udev rules, edit /etc/network files, run sudo ip/route commands, and source ~/.config/hilink/config. Sourcing the config file executes any shell content inside it (not limited to simple variable assignments), which is a direct code-execution risk if the file is untrusted or tampered with. The skill only targets the local modem API (no external endpoints), but it has broad discretion over system networking.
Install Mechanism: noteThere is no install spec (instruction-only plus an included script), which is low risk for arbitrary remote downloads. But because a runnable script is included and it relies on several external binaries, the omission of dependency declarations is a packaging/information gap that could surprise users at runtime.
Credentials: concernNo credentials are requested by the registry metadata, which matches the local-only nature of the modem API. However, the skill reads/sources a local config (~/.config/hilink/config) that may include HILINK_PIN (SIM PIN) in plaintext — this is sensitive. More importantly, sourcing the config runs any shell code present, so the skill can effectively execute arbitrary content from a user-writable path, which is disproportionate if the intended purpose is only to read a few variables.
Persistence & Privilege: concernThe skill suggests persistent system changes (udev rule, /etc/network/interfaces.d entry) and issues privileged commands (sudo ip addr/route modification). These actions are consistent with a modem manager but require elevated privileges and will affect system networking; users should be aware and review/approve such changes explicitly before running.