ClawHub

Icom IC-7610

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ham-radio control skill, but it can change radio state and transmit, so it should be used only by an operator who understands the equipment and regulations.

Install only if you intend to let an agent help operate this specific transceiver. Keep transmit, CW, beacon, high-power, and power-state actions under explicit operator control; verify jurisdiction, license privileges, frequency, power, and SWR before transmitting; and avoid adapting the eval-based retry helper unless it is rewritten to avoid untrusted command strings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill exposes high-impact radio-control capabilities but does not define explicit invocation constraints, allowed operations, or user-confirmation gates at the skill boundary. In an agent setting, vague activation conditions increase the chance the skill is invoked from ambiguous user requests and performs state-changing actions on physical equipment without sufficiently clear authorization.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation includes remote power on/off procedures for a physical transceiver, including wake-from-standby behavior, but does not present a prominent user-facing warning about device-state changes, timing, operational disruption, or misuse risk. Remote power control over LAN/serial can unexpectedly energize equipment or interrupt communications, making this materially safety-relevant in a real-world radio environment.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The skill hardcodes a US amateur band plan for pre-transmit safety checks without requiring the operator’s jurisdiction or license class. In a non-US context, the agent could incorrectly approve or reject transmissions, creating regulatory and operational risk despite the presence of safety-oriented intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal