Satellite Copilot
v0.1.0Predict satellite passes (NOAA APT, METEOR LRPT, ISS) for a configured latitude/longitude and send WhatsApp alerts with manual dish alignment info (AOS/LOS azimuth+elevation, track direction, inclination). Use when setting up or operating a zero-AI pass scheduler/orchestrator for SDR satellite reception, including configuring NORAD IDs, minimum elevation, alert lead time, and optional remote capture/decode hooks (Pi RTL-SDR capture + Jetson SatDump decode).
⭐ 1· 1.8k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code: pass prediction (node script), orchestration (Python), optional remote capture/decoding hooks and WhatsApp alerts via a Clawdbot CLI. However the SKILL.md quick-start omits explicit mention that Node.js is required on the host (the Node predictor is invoked by the Python orchestrator) and that a local 'clawdbot' CLI must be installed and trusted; these runtime expectations are in README but not clearly enforced in SKILL.md.
Instruction Scope
The orchestrator/scheduler will run arbitrary capture/decode commands supplied in config (radio_scheduler.py uses subprocess.run(..., shell=True); orchestrator.py has placeholder SSH capture logic). Those commands are opt-in and disabled by default, but if enabled they can execute arbitrary shell code on the host or via SSH on remote hosts. orchestrator.py's ssh(...) sets StrictHostKeyChecking=accept-new (auto-accepts unknown host keys) which weakens SSH trust and can lead to MITM acceptance of attacker keys. The code also invokes an external TLE service over the network (tle.ivanstanojevic.me) — expected for the feature but still an external network dependency.
Install Mechanism
No install spec is provided (instruction-only with bundled scripts). That keeps the install surface small; nothing is downloaded or automatically written beyond run/state folders under the user's home directory.
Credentials
The skill declares no required environment variables or credentials, which is consistent with being a local orchestrator. However it implicitly depends on: a usable SSH key/agent for remote capture (if enabled), a trusted 'clawdbot' binary in PATH for WhatsApp notifications, and Node.js on PATH for pass prediction. Those dependencies and any private SSH keys are not called out in SKILL.md as required credentials.
Persistence & Privilege
The skill creates and writes state and run folders under ~/.clawdbot/radio-copilot (normal for an orchestrator). It suggests being run from cron (user action). always:false and no system-wide changes are requested. The main concern is that enabling capture/decode causes the skill to run user-specified commands and potentially SSH to remote hosts — this increases persistence/impact only when explicitly enabled.
What to consider before installing
This repository appears to do what it claims, but please review and take these precautions before enabling automation or capture: 1) Keep capture/ decode entries disabled until you’ve inspected and tested the exact commands you will run — they execute in a shell (shell=True) and can run arbitrary code on your host or remote host. 2) Don’t rely on the code’s auto-accept SSH behaviour; manually SSH to your Pi/Jetson once from this user to verify host keys or modify the code/command to avoid StrictHostKeyChecking=accept-new. 3) Ensure the 'clawdbot' CLI (used to send WhatsApp messages) is the genuine CLI you expect and is not a malicious binary earlier in your PATH. 4) Be aware the predictor fetches TLEs from a public third-party service (tle.ivanstanojevic.me) — if you need offline operation, replace/fork that fetch or vendor TLEs. 5) Secure the config file (chmod 600 is suggested in README) and limit who can edit it; review any cron entries before installation. If you want a lower-risk test: run the scripts with config.enabled=false and step through code locally, or run them in an isolated container/VM before using them on a production host.Like a lobster shell, security has layers — review code before you run it.
latestvk97f41c21r1werpazq4tps78z980awbe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.