ClawHub

Satellite Copilot

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent satellite-pass alerting tool, with disclosed local state, cron scheduling, WhatsApp alerts, and opt-in capture hooks that users should configure carefully.

Install only if you want a local scheduled satellite-pass notifier. Before enabling cron, confirm the WhatsApp target, dependency sources, and TLE/network behavior. Do not enable capture or decode hooks unless the configured commands are ones you wrote or fully trust, because the secondary scheduler can run them with your local user privileges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env["PASS_END"] = p["passEnd"]
                    env["PASS_MAX"] = p["passMax"]
                    try:
                        subprocess.run(cmd, shell=True, cwd=str(run_dir), env=env, timeout=timeout)
                    except Exception:
                        pass
Confidence
99% confidence
Finding
subprocess.run(cmd, shell=True, cwd=str(run_dir), env=env, timeout=timeout)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation instructs users to run local scripts, create persistent files under the home directory, and use shell commands, but it does not declare corresponding permissions. That mismatch is dangerous because it hides the real capability surface from reviewers and operators, making file access, environment access, and shell execution appear less risky than they are.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The scheduler exceeds a narrow alerting role by directly executing arbitrary shell capture commands during satellite passes. In this skill context, that is especially risky because the feature is explicitly designed for unattended orchestration on SDR hosts, creating a durable automation path for arbitrary code execution.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The docstring states the scheduler is "conservative and safe" even though later code runs arbitrary shell commands. This can mislead operators and reviewers into underestimating the risk, increasing the chance the feature is deployed with excessive trust or inadequate controls.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The description says the skill sends WhatsApp alerts, which implies external network transmission and message delivery side effects, but the user-facing documentation does not clearly warn about that behavior. This can lead to unintended outbound communications, privacy issues, or unexpected charges if a user enables or runs the skill without understanding the messaging side effects.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal