ISS Tracker
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill narrowly fetches public ISS coordinates from a disclosed API and shows no credential, file, persistence, or account access.
This appears safe for its stated purpose. Before installing, confirm you are comfortable with a simple external API request and that your local curl and jq tools are trusted.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill will contact the Open Notify API, and that service or the network path may see the request; the endpoint is HTTP rather than HTTPS.
The skill asks the agent/user to run a local shell pipeline that contacts an external API. This is expected for an ISS tracker and is narrowly scoped, but it is still command execution plus a network request.
curl -s "http://api.open-notify.org/iss-now.json" | jq -r '"Lat: \(.iss_position.latitude), Lon: \(.iss_position.longitude)"'
Use only if you are comfortable with a public external API request, and review the command before running it.
If curl or jq are missing or replaced by untrusted local binaries, the command may fail or behave unexpectedly.
The skill depends on local curl and jq binaries. These are common tools and purpose-aligned here, but users should know they must be present and trusted.
bins: ["curl", "jq"]
Ensure curl and jq are installed from trusted system sources before using the skill.