Back to skill
Skillv2.1.0
ClawScan security
Icom IC-7610 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 24, 2026, 8:08 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are coherent with its stated purpose (controlling an Icom IC-7610 via rigctl/curl/python); it does not request unrelated credentials or pull arbitrary external binaries.
- Guidance
- This skill appears to be what it claims: a set of shell/python instructions to control an IC‑7610 using hamlib/wfview/flrig. Before installing, do the following: 1) Inspect the .env.example/.env the skill will source and ensure it contains only expected values (callsign, serial port, local URLs); do not place unrelated secrets there. 2) Be aware rigctl and direct serial access will open the radio's USB/serial device and can block other programs; stop flrig/WSJT-X if you need exclusive serial access. 3) The skill can power the radio on/off and key CW — run first with operator supervision and the provided pre‑TX safety checks enabled to avoid accidental transmissions. 4) The metadata omitted declaring the env vars the skill actually reads; treat that as an informational mismatch (not a security issue) and confirm configuration before use. 5) If you do not want the agent to ever transmit autonomously, restrict autonomous invocation or require explicit confirmation before any PTT/CW/beacon action.
Review Dimensions
- Purpose & Capability
- okName/description (IC-7610 control) matches the binaries and actions used: rigctl (Hamlib) for radio control, curl for flrig XML-RPC, and python3/pyserial for raw CI-V serial power-on. The brew install of hamlib (rigctl) is appropriate and expected.
- Instruction Scope
- noteSKILL.md instructs the agent to source a local .env, use rigctl, curl to local flrig, and a short python3 serial snippet for power-on; all actions are within the stated scope. Note: the skill will read a .env file (station configuration) from the skill directory — this is expected for radio control but is an explicit file read that users should review before use.
- Install Mechanism
- okInstall spec uses Homebrew to install the well-known hamlib package (provides rigctl). No downloads from untrusted URLs or arbitrary extract/install steps are present.
- Credentials
- noteThe registry lists no required env vars, but SKILL.md documents several configuration env vars (.env): CALLSIGN, SERIAL_PORT, BAUD_RATE, HAMLIB_MODEL, FLRIG_URL, RIGCTLD_ADDR, MAX_POWER_W. Those variables are reasonable and proportional to the skill's function, but the metadata/registry omission is a small inconsistency (the skill will read .env variables even though none are declared as required in the registry). None of the env vars are sensitive tokens by default, but .env is user-controlled — review its contents before use.
- Persistence & Privilege
- okSkill does not request always: true, does not modify other skills or system-wide configs, and requires only local files and standard binaries. It can perform actions that change radio state (power on/off, keying) — these are functionally appropriate but should be used with operator supervision.