v1.0.0

ISS Tracker

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:54 AM.

Analysis

This instruction-only skill narrowly fetches public ISS coordinates from a disclosed API and shows no credential, file, persistence, or account access.

GuidanceThis appears safe for its stated purpose. Before installing, confirm you are comfortable with a simple external API request and that your local curl and jq tools are trusted.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

curl -s "http://api.open-notify.org/iss-now.json" | jq -r '"Lat: \(.iss_position.latitude), Lon: \(.iss_position.longitude)"'

The skill asks the agent/user to run a local shell pipeline that contacts an external API. This is expected for an ISS tracker and is narrowly scoped, but it is still command execution plus a network request.

User impactUsing the skill will contact the Open Notify API, and that service or the network path may see the request; the endpoint is HTTP rather than HTTPS.

RecommendationUse only if you are comfortable with a public external API request, and review the command before running it.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

SKILL.md

bins: ["curl", "jq"]

The skill depends on local curl and jq binaries. These are common tools and purpose-aligned here, but users should know they must be present and trusted.

User impactIf curl or jq are missing or replaced by untrusted local binaries, the command may fail or behave unexpectedly.

RecommendationEnsure curl and jq are installed from trusted system sources before using the skill.