Back to skill
Skillv1.0.2
ClawScan security
RDA MSG Board · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 23, 2026, 8:38 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested environment variables are coherent with its stated purpose of sending messages to a physical RDA MSG Board, but provenance is unknown so exercise normal caution before installing.
- Guidance
- This skill appears to do what it claims: it runs local Python scripts to POST JSON to the IP you provide (or to a saved profile). Before installing: (1) verify you trust the skill source or inspect the included scripts (they are small and readable); (2) prefer using a local boards.yaml profile rather than exporting credentials into shared environment variables; (3) ensure MSG_BOARD_IP points to your trusted local device (don't direct it at unknown third-party hosts, since credentials are sent via Basic Auth); (4) if you will use the manager script, install PyYAML from a trusted source; and (5) avoid running untrusted code on sensitive hosts. Because the skill's provenance/homepage is not provided, treat the package like any third-party script and review it before use.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (python3), and required env vars (MSG_BOARD_IP, MSG_BOARD_USER, MSG_BOARD_PASS) align with the delivered scripts which POST JSON to a device HTTP API. Profile support via boards.yaml and optional PyYAML is consistent with the skill's stated features.
- Instruction Scope
- okSKILL.md restricts runtime actions to running the included Python scripts and references only profile files (boards.yaml) and the device API. It explicitly warns about command injection and instructs safe argv usage. The instructions do not ask the agent to read unrelated system files or transmit data to unexpected endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only with included scripts). That keeps disk/write risk minimal; the shipped Python scripts are small and their behavior matches the described functionality. No external downloads or archive extraction are specified.
- Credentials
- noteThe three environment variables requested (MSG_BOARD_IP, MSG_BOARD_USER, MSG_BOARD_PASS) are relevant as fallback credentials for direct connections. SKILL.md notes they are only needed if not using profiles; declaring them as required in metadata may be stricter than necessary but not inconsistent with purpose.
- Persistence & Privilege
- okThe skill is not always-enabled and uses normal user invocation/autonomous invocation defaults. It does not request system-wide config modification or other skills' credentials.