HiLink LTE Modem
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its modem-control purpose, but the included script has local code-execution risks and exposes powerful SMS, SIM PIN, and network actions.
Install only if you are comfortable letting the agent control a local Huawei HiLink modem, including reading/sending/deleting SMS and handling SIM PIN operations. Treat SMS contents as sensitive, avoid storing PINs in plaintext, review the sudo network commands, and consider fixing the script’s unsafe Python argument interpolation and shell-sourced config before use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or user passes a malicious SMS index, the skill could run unintended local code, not just read an SMS.
The SMS index argument is interpolated directly into Python source code passed to python3 -c. A crafted index could break out of the string and execute arbitrary Python as the local user.
local index="$1" ... python3 -c "... if msg.findtext('Index') == '${index}': ... print('SMS ${index} not found') ..."Pass the index to Python via argv or an environment variable, validate it as numeric, and never concatenate user-controlled values into executable code.
Anything written into that config file will execute whenever the script runs, which is broader than ordinary configuration parsing.
The config file is sourced as shell code, although the user-facing setup presents it as a place to store simple variables such as HILINK_GATEWAY.
CONFIG_FILE="${HOME}/.config/hilink/config"
if [ -f "$CONFIG_FILE" ]; then
source "$CONFIG_FILE"
fiParse only expected KEY=VALUE settings, validate values, restrict file permissions, and clearly warn users not to place untrusted content in the config file.
An agent using this skill can affect your SIM account, incur SMS charges, delete messages, or change SIM protection if instructed.
The documented commands can send SMS messages, delete SMS messages, and disable the SIM PIN. These are expected for the stated purpose but are high-impact actions.
scripts/hilink.sh sms send "+41791234567" "Hello!" scripts/hilink.sh sms delete 40001 scripts/hilink.sh pin disable 1234
Use the skill only for explicit user-requested modem actions, and require confirmation before sending/deleting SMS or changing SIM PIN settings.
Running the skill may prompt for administrator privileges and can change local networking behavior.
The script uses sudo to modify local network interfaces and routes. This is related to making the modem reachable, but it crosses a local privilege boundary.
sudo ip addr add "$STATIC_IP" dev "$iface" ... sudo ip link set "$iface" up ... sudo ip route del default via "$GATEWAY" dev "$iface"
Review the network commands before use, prefer a preconfigured interface where possible, and avoid granting passwordless sudo to this script.
The skill may handle a SIM credential and could unlock or change SIM security settings.
The script can read a SIM PIN from the environment/config and send it to the local modem API to unlock the SIM.
SIM_PIN="${HILINK_PIN:-}" # Set in config or pass via 'pin enter' ... <CurrentPin>${SIM_PIN}</CurrentPin>Avoid storing SIM PINs in plaintext config when possible, restrict config file permissions, and only provide the PIN for deliberate modem-management tasks.