Satellite Copilot
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you enable capture commands, the skill can run whatever shell command you place in the config, potentially repeatedly during satellite pass windows.
The optional capture hook can execute a shell command from the user’s config. It is disabled by default and purpose-aligned for SDR capture, but enabling it gives the scheduled job local command-execution authority.
subprocess.run(cmd, shell=True, cwd=str(run_dir), env=env, timeout=timeout)
Only enable capture hooks with commands you wrote or fully trust, keep them narrowly scoped, and review the cron schedule before leaving it unattended.
After setup, the scheduler can keep running and sending alerts without further prompts.
The skill documents a cron entry that runs every five minutes. This is expected for a pass scheduler, but it creates persistent background behavior until the user removes the cron job.
*/5 * * * * /usr/bin/python3 /path/to/radio-copilot/scripts/orchestrator.py >> ~/.clawdbot/radio-copilot/orchestrator.log 2>&1
Install the cron entry only if you want continuous scheduling, and remove or disable it when you no longer need automated pass alerts.
The skill can send WhatsApp notifications using your configured Clawdbot/Moltbot messaging account.
The orchestrator sends messages through the local Clawdbot CLI, which implies use of the user’s configured messaging/WhatsApp setup. This matches the skill purpose, and the message target comes from config.
subprocess.run([claw, "message", "send", "--channel", channel, "--target", target, "--message", message], capture_output=True)
Confirm the configured target phone number and channel before enabling scheduled alerts.
You may need to install dependencies yourself, and their exact versions are not specified by the artifacts.
The predictor depends on npm packages, while the supplied artifact set has no install spec or package manifest declaring pinned dependency versions. This is an installation/provenance gap rather than evidence of malicious behavior.
import fetch from 'node-fetch'; import * as sat from 'satellite.js';
Use trusted package sources, prefer pinned dependency versions, and review any dependency installation steps before running the scripts.