Back to skill
Skillv1.0.0
ClawScan security
Ham Radio DX Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 8:30 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are coherent with a DX-cluster monitoring tool: it connects to listed telnet cluster nodes, parses spots, writes a small /tmp state file, and suggests optional cron/notification usage — nothing in the provided files requests unrelated credentials or external endpoints.
- Guidance
- This skill appears to be what it claims: a telnet-based DX cluster monitor implemented in Python using only the standard library. Before installing, consider: 1) The README references a setup script (./scripts/dx-monitoring-setup.sh) that was not included — don't run missing/unknown installers; 2) The script writes state to /tmp/dx-monitor-state.json and suggests cron jobs that will run the script on a schedule — install cron entries only for a non-privileged user and inspect the exact crontab lines; 3) The SKILL.md shows piping output to external notification tools (e.g., Clawdbot/Telegram) but no built-in notification code is present — ensure any notification CLI/tools you use are trusted and correctly configured; 4) The script connects to the listed DX cluster hostnames over TCP (telnet-style). If your network policies restrict outbound connections, or if you only want to use certain nodes, adjust the cluster list; 5) I reviewed the visible portions of the code (parsing, socket use, state save); the provided file content was truncated in the prompt, so if you plan to deploy, open and review the entire dx-monitor.py yourself (or run it in a sandbox) to confirm there are no unexpected behaviors in the remainder of the file. Running it as-is under a standard user account is reasonable.
Review Dimensions
- Purpose & Capability
- okName/description (Ham Radio DX monitoring) match the code and SKILL.md: the script connects to DX cluster telnet nodes, parses spots, produces digests and supports cron-run alerts. The declared dependencies (Python stdlib) align with the code.
- Instruction Scope
- noteInstructions are scoped to monitoring and digest generation. They recommend using your callsign and adding cron jobs, and show how to pipe output into external notification tools (e.g., grep + Clawdbot). The skill does write/read a local state file (/tmp/dx-monitor-state.json) and suggests log files (/tmp and ~/), which is expected for this use case. SKILL.md/README mention a setup script (./scripts/dx-monitoring-setup.sh) that is not present in the provided files — this is a documentation/packaging inconsistency to be aware of but not a security contradiction.
- Install Mechanism
- okNo install spec is present (instruction-only with included script). That is low risk since nothing is downloaded or extracted during install. The script depends only on Python stdlib.
- Credentials
- okThe skill requests no environment variables or secret credentials. It asks users to provide their callsign (a public identifier for ham ops) optionally. No unrelated credentials, tokens, or config paths are requested.
- Persistence & Privilege
- noteThe skill does persist state to /tmp/dx-monitor-state.json and the README/SKILL.md recommend adding cron jobs to run the script periodically — these are reasonable for an automated monitor. It does not require always:true and does not modify other skills or system-wide agent settings. As with any cron job, run under a least-privilege user and review cron targets before installing.