Back to skill
Skillv1.0.0
ClawScan security
RTL-SDR WFM RDS Decoder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 9, 2026, 7:47 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required tools are consistent with an RTL‑SDR FM recording + RDS extraction tool and do not request unrelated credentials or hidden network endpoints.
- Guidance
- This skill appears coherent and implements the described RTL‑SDR → FM → RDS → MP3 workflow. Before installing/running: 1) Run python3 scripts/fm_iq_pipeline.py --check to confirm required tools are on PATH and inspect probeMessage if any tool is unavailable. 2) Install rtl_sdr/rtl_fm/rtl_power (driver access to the USB SDR), ffmpeg, python3, numpy, scipy, and redsea from trusted package sources. 3) Be aware the scripts spawn subprocesses and write recordings/debug JSON to disk (out-dir and a /tmp redsea fallback path). 4) If you are concerned about safety, run in a sandboxed Linux environment with limited network access and inspect the rds-debug-<freq>.json outputs after --decode-rds. 5) No secrets or remote endpoints are requested by the skill; ensure you trust the origin of the package before running code from an unknown source.
Review Dimensions
- Purpose & Capability
- okThe name/description promise (IQ capture, WBFM demod, RDS extraction, MP3 naming) matches the included Python scripts and the SKILL.md. The scripts call expected external binaries (rtl_sdr, rtl_fm, redsea, ffmpeg) via subprocess, perform offline demodulation with numpy/scipy, and write MP3/JSON outputs. There are no unrelated credentials or unexplained dependencies declared.
- Instruction Scope
- okSKILL.md instructs only FM‑related orchestration (check, scan, decode, record), recommends running the included scripts, and documents required tools and outputs. The runtime code interacts with local tools, reads pipe output, performs local file I/O (out-dir, /tmp fallback for redsea), and writes debug JSON and MP3 files — all consistent with the stated tasks. There are no instructions to collect system-wide secrets, read unrelated config, or send data to external network endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only install), and all code is bundled with the skill. There are no downloads from external URLs or archive extraction steps in the manifest. The execution model relies on local system binaries being present, which is expected for this tooling.
- Credentials
- okThe skill requests no environment variables or credentials. It does rely on local system binaries and devices (rtl_* tools that access an RTL‑SDR USB device and ffmpeg for encoding) which is proportional to its purpose. Note: using the skill requires granting the process access to the SDR hardware (USB/dev nodes) and write access to the chosen out-dir.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated platform privileges. It does not attempt to modify other skills or global agent settings. Autonomous invocation is allowed by default (normal for skills) but not combined with any other red flags.