RDA MSG Board

ReviewAudited by ClawScan on May 1, 2026.

Overview

The skill appears to be a straightforward LED message-board controller, with expected but noteworthy use of local command execution and board credentials.

Before installing, make sure you trust the configured board IP/profile, use a unique board password, protect any boards.yaml file, and prefer argv-style command execution so message text is not passed through an unsafe shell string.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

A user request can cause a visible message or alert sound on the configured LED board; unsafe shell-string invocation could mishandle message text.

Why it was flagged

The skill intentionally uses a local command tool to send messages to the physical board. This is purpose-aligned and includes safe argv guidance, but users should recognize that local command execution is part of normal operation.

Skill content

Use an `exec` or command tool to run `scripts/send_message.py` ... Example `argv` list invocation: `["python3", "scripts/send_message.py", message_text, "--profile", board_name]`

Recommendation

Use argv-style command invocation when possible, avoid raw shell interpolation, and confirm the target board when the user request is ambiguous.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Board credentials are transmitted to the configured device and may be exposed on the local network if plain HTTP is used.

Why it was flagged

The script sends the configured board username and password using HTTP Basic Auth, defaulting to plain HTTP unless the provided IP value already includes a scheme.

Skill content

else:
        url = f"http://{ip}/api"
...
auth_str = f"{user}:{password}"
...
req.add_header('Authorization', f"Basic {b64_auth}")

Recommendation

Use a unique password for the message board, keep it on a trusted network, and use an HTTPS URL if the device supports it.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone with access to the skill directory or boards.yaml file could read the configured board password.

Why it was flagged

The profile manager stores board credentials in a local YAML file as ordinary profile data. This is expected for profile support, but it is persistent local credential storage.

Skill content

profiles[args.name] = {
        'ip': args.ip,
        'user': args.user,
        'pass': args.password
    }
...
yaml.dump({'profiles': profiles}, f, default_flow_style=False)

Recommendation

Protect boards.yaml with appropriate filesystem permissions, avoid reusing passwords, and remove profiles that are no longer needed.