ClawHub

Red Alert

v1.2.0

Israel Red Alert API — real-time and historical rocket/missile alert data. Query alerts by city, time range, generate shelter time stats. Uses redalert.oriel...

0· 369·1 current·1 all-time
byDanny Shmueli@dannyshmueli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and instructions: analyze.mjs calls the documented REST history endpoint, realtime/listener scripts use socket.io to redalert.orielhaim.com. No unrelated credentials, binaries, or surprising services are requested.
Instruction Scope
SKILL.md instructs the agent to run npm install and execute Node scripts and curl commands against the documented endpoints. The scripts write JSONL files under /data/clawd/tmp and reference skill-local paths (/data/clawd/skills/...). This is expected for a persistent listener/analyzer, but note it will create/append local files and may run a long-lived socket connection if the daemon is used.
Install Mechanism
There is no platform install spec; users are instructed to run npm install in the scripts directory. Dependencies come from the public npm registry (socket.io-client). This is expected but carries the usual npm-supply-chain risks (verify package-lock.json and run in a sandboxed environment if concerned).
Credentials
Only an optional RED_ALERT_API_KEY is declared and used. The code reads that single env var for authenticated socket.io connections; no other secrets or unrelated env/config paths are requested or accessed.
Persistence & Privilege
always:false (no forced inclusion). The listener-daemon creates persistent local files (/data/clawd/tmp/redalert-live.jsonl and redalert-pending.jsonl) and maintains long-lived network connections. This is consistent with real-time functionality, but you should expect residual files and an active socket if run persistently.
Assessment
This skill appears internally coherent for its stated purpose. Before installing: 1) If you will run the realtime/daemon scripts, run npm install in an isolated sandbox and verify package-lock.json to reduce npm supply-chain risk. 2) The listener writes JSONL files to /data/clawd/tmp — ensure that path and file permissions are acceptable and won't expose sensitive data. 3) The RED_ALERT_API_KEY is optional; only provide it if you need authenticated real-time access. 4) Expect a persistent socket.io connection if you use the daemon — monitor network egress and logs. 5) If you prefer lower risk, use the history-only analyze.mjs (which requires no key) or run realtime listeners manually rather than granting autonomous invocation. If you want more assurance, ask the publisher for provenance (homepage/owner) or run the code in a controlled environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eaxk0mp0zspsg2f343crwah82909j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Dependencies

socket.io-clientnpm

Comments