Skillv1.0.0

ClawScan security

ADS-B Overhead · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 8:42 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are internally consistent with the stated purpose (local ADS‑B monitoring and WhatsApp alerts); it makes expected network requests and writes state under ~/.clawdbot but does not demand unrelated credentials or elevated privileges.
Guidance: This skill appears to do exactly what it claims: monitor a local SBS/readsb TCP feed and send WhatsApp alerts via your Clawdbot CLI. Before installing/running: 1) Confirm your SBS host/port are correct and that the feed is local/trusted (the script will connect to whatever --host you supply). 2) Review and set ~/.clawdbot/adsb-overhead/config.json and use secure file permissions (example uses chmod 600). 3) Ensure the clawdbot CLI is installed and available to cron (the notifier calls it via subprocess). 4) Be aware the skill will make outbound HTTP(S) requests only if you enable enrichment or photos (tar1090 URL and Planespotters API). 5) Note a minor code oddity: the image download allowlist checks for the substring "plnspttrs.net" which looks like a typo/abbreviated domain and may prevent photo downloads even when enabled — this is not malicious but you may want to review/adjust that check if you expect photos. If you want a stricter security posture, disable photo/enrichment features and run the checker manually to validate behavior before adding it to cron.

Review Dimensions

Purpose & Capability: okName/description match the code and runtime instructions: scripts connect to a local SBS/BaseStation TCP feed, compute distances, apply cooldowns, optionally enrich from a local tar1090/readsb JSON URL, optionally query Planespotters for photos, and send notifications via the Clawdbot CLI. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: okSKILL.md and the scripts limit actions to the stated task: connect to a configured SBS TCP host/port, read optional aircraft JSON, fetch optional photos, persist per-aircraft state under ~/.clawdbot/adsb-overhead, and invoke the Clawdbot CLI to send messages. The instructions do not request arbitrary file reads, environment secrets, or external endpoints outside the described enrichment/photo APIs.
Install Mechanism: okNo install spec is present (instruction-only installation). Code files are included but there is no download-from-URL or package install step; nothing will be written to system locations except the state/photo directories under the user's home when run.
Credentials: noteThe skill requests no environment variables or credentials. It does read and write files under the user's home (~/.clawdbot/adsb-overhead) which is appropriate for local configuration/state. It performs outbound network requests to configured aircraftJsonUrl (often local) and to Planespotters' public API; if you do not want outbound internet access for these lookups, disable photo/enrichment options.
Persistence & Privilege: okalways is false and the skill does not attempt to modify other skills or system-wide agent settings. It persists only its own state and optional photo cache under ~/.clawdbot which is expected for a cron-style watcher.