ClawHub

Tidbyt Status Display

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI07: Insecure Inter-Agent Communication
What this means

People or devices on reachable networks could see when the agent is active, idle, or working and view recent activity metadata.

Why it was flagged

The status API listens on all network interfaces and allows reads from any browser origin. This is aligned with making the API reachable by a Tidbyt integration, but any host that can reach the port can read the status JSON.

Skill content
server = HTTPServer(("0.0.0.0", port), StatusHandler) ... self.send_header("Access-Control-Allow-Origin", "*")
Recommendation

Run it only on trusted networks, restrict firewall access to the needed device or LAN, and consider binding to a specific interface or adding a token/reverse proxy if exposed beyond the local network.

NoteHigh Confidence
ASI10: Rogue Agents
What this means

If installed as a service or started with nohup, the API may continue running after the terminal is closed or after reboot.

Why it was flagged

The documentation includes optional background and systemd service modes that keep the status server running. This persistence is disclosed and purpose-aligned for a display service.

Skill content
ExecStart=/usr/bin/python3 scripts/status_server.py
Restart=always ... nohup python3 scripts/status_server.py > /tmp/scout-status.log 2>&1 &
Recommendation

Use persistent mode only if you want continuous status display, and keep the disable/stop commands available, such as killing the background process or disabling the systemd service.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

The documented Tidbyt app may not be available from the installed package, so users might need to obtain or create it separately.

Why it was flagged

The documentation says the Tidbyt Starlark app file is part of the integration, but the provided file manifest does not include scout_status.star, creating an incomplete-package/provenance gap for that component.

Skill content
2. **Tidbyt App** (`scout_status.star`) - Starlark app for rendering on Tidbyt ... - `scout_status.star` - Tidbyt Starlark app
Recommendation

Confirm the missing scout_status.star file comes from a trusted source before using or pushing it to a Tidbyt device.