ClawHub

Spacex

v1.0.0

CLI for AI agents to lookup SpaceX launches and rockets for their humans. No auth required.

0· 1.3k·0 current·1 all-time
by@jeffaf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binaries (bash, curl, jq), and API usage (api.spacexdata.com) align with a SpaceX lookup CLI. However the README suggests cloning a different repo (jeffaf/spacex-skill) while the homepage points at the SpaceX-API repo, which is inconsistent.
!
Instruction Scope
Runtime instructions tell the agent to run a wrapper script at {skill_folder}/spacex (./spacex launches ...), but this package contains only README.md and SKILL.md—no script files are present. That mismatch means the instructions assume an executable that isn't provided here. SKILL.md otherwise limits actions to calling the public SpaceX API, but the pre-scan found unicode-control-chars (prompt-injection) in the SKILL.md, which is suspicious and could hide or manipulate content.
Install Mechanism
There is no install spec (instruction-only), which is low risk. But README suggests cloning a third-party GitHub repo (https://github.com/jeffaf/spacex-skill.git) that's different from the declared homepage; downloading/cloning external repos should be verified before running.
Credentials
The skill does not request any environment variables, credentials, or config paths—this is proportional for a public API lookup tool that requires no auth.
Persistence & Privilege
always is false and the skill does not request elevated persistence or to modify other skills; default autonomous invocation is allowed (platform default) and is not by itself a red flag.
Scan Findings in Context
[unicode-control-chars] unexpected: Hidden/Unicode control characters in SKILL.md are not expected for a simple CLI instruction file and can be used for prompt-injection or to obfuscate content. This should be examined/cleaned before trusting the text.
What to consider before installing
This skill's purpose and required tools look reasonable for a SpaceX CLI, but do not install or run it blindly. Key concerns: (1) the package lacks the ./spacex script the agent is instructed to run—verify the repository actually provides that executable; (2) README clone URL and declared homepage differ—confirm the correct, trusted source; (3) SKILL.md contains unicode-control characters (possible prompt-injection/obfuscation) — open the file in a hex/clean-text viewer or remove control chars before use. If you install, inspect the cloned files to ensure there are no unexpected scripts, and run networked components in a sandbox or VM if you want extra safety. Provide the actual script or a trusted upstream release URL to raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ftzwz012e4nf1qfztybbzs80jk2j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🚀 Clawdis
Binsbash, curl, jq

Comments