Skillv1.0.0

ClawScan security

Amateur Radio DX Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 9:59 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the described DX-cluster monitoring features and doesn't request credentials, but there are documentation/code inconsistencies and a few privacy/usability concerns you should review before installing.
Guidance: This skill is functionally coherent with its DX-monitoring purpose and does not ask for secrets, but review and fix a few things before you run it automatically: 1) Documentation vs code mismatch — SKILL.md says state is saved in your home dir, but the code saves to /tmp/dx-monitor-state.json; decide which you want and update the code/docs so you know where persistent state will live. 2) Privacy — the included dx-ai-config.json contains specific lat/lon and a callsign; edit or remove that before use. 3) The AI-enhanced script invokes the local dx-monitor.py and parses its human-readable output; this is brittle and may miss spots or behave unexpectedly if output format changes — test interactively first. 4) The tool connects to public DX cluster telnet nodes (plain-text telnet); run it as a non-privileged user and do not expose sensitive data. 5) If you plan to schedule automated cron jobs or integrate notifications (Telegram/Discord), review and test those integrations locally first. If you want higher assurance, ask the author to: (a) correct the state-file/docs mismatch, (b) add structured output (JSON) mode for dx-monitor.py so the AI-enhanced watcher can reliably parse spots, and (c) remove/obfuscate any default personal location data.

Review Dimensions

Purpose & Capability: noteThe name/description match the shipped Python scripts: dx-monitor.py and dx-ai-enhanced.py implement telnet DX-cluster monitoring, digest generation, and a local AI-like scoring feature. The presence of package.json (Node-style metadata) is unnecessary but not dangerous; it appears to be registry metadata only. Overall capabilities align with the stated purpose.
Instruction Scope: concernThe SKILL.md instructs the agent/user to run the included Python scripts and to schedule cron jobs for monitoring — that scope is appropriate. However there are contradictory details: SKILL.md claims state is saved to ~/dx-monitor-state.json (home directory), while the actual code uses STATE_FILE = '/tmp/dx-monitor-state.json'. The AI-enhanced watcher relies on invoking dx-monitor.py via subprocess and then parses human-readable output (fragile/inconsistent parsing). These documentation/code mismatches could cause unexpected behavior (lost state, failed parsing) and should be fixed before automated scheduling.
Install Mechanism: okNo install spec is provided (instruction-only skill with code files). That is low-risk: nothing is downloaded at install time and no external installers are invoked.
Credentials: noteThe skill requests no environment variables or external credentials and only uses standard Python stdlib operations. Two items to note: a default dx-ai-config.json shipped with the skill includes a real-looking latitude/longitude (privacy concern — change before use), and the code writes a state file to /tmp (or is documented to use home dir). No unrelated credentials are requested.
Persistence & Privilege: okThe skill is not force-included (always: false) and does not request special platform privileges. It writes local state (state file) and reads/writes the included dx-ai-config.json in the skill directory — expected for this functionality. The SKILL.md recommends cron jobs; scheduling these is user-controlled.