Is kj5irq/asl-control safe?
https://github.com/openclaw/skills/tree/main/skills/kj5irq/asl-control
The asl-control skill is a legitimate amateur radio node control client for AllStar Link / ASL3 infrastructure. No prompt injection, hidden instructions, or malicious code patterns were detected. The primary concern is that scripts/asl-api.sh hardcodes the author's personal Tailscale IP address (100.116.156.98) as a fallback default, meaning any user who fails to set ASL_PI_IP when using the shell wrapper would route API credentials to the author's device. Additionally, SKILL.md instructs the agent to source a broad secrets file before every command invocation, normalizing wider-than-necessary credential exposure as standard workflow. These issues appear to stem from the skill being a lightly sanitized personal tool rather than deliberate malice, but they warrant review before deployment.
Category Scores
Findings (6)
HIGH Author's Tailscale IP hardcoded as default in asl-api.sh -20 ▶
scripts/asl-api.sh sets ASL_PI_IP with a default fallback of 100.116.156.98 via Bash parameter expansion. A user who sources or executes this script without explicitly setting ASL_PI_IP will send all API requests — including the X-API-Key bearer token — to the author's personal Tailscale-routed device. The Tailscale range (100.x.x.x) is globally routable within a Tailscale mesh, so this IP is reachable from any device on the author's tailnet. The primary Python tool (asl-tool.py) correctly rejects a missing ASL_PI_IP with a SystemExit, making this risk specific to the shell wrapper.
MEDIUM SKILL.md normalizes broad secrets file sourcing in all usage examples -18 ▶
Every usage example in SKILL.md instructs the agent to run 'source ~/.config/secrets/api-keys.env' before invoking the Python tool. This trains the agent to treat the broad secrets file as a prerequisite step for any ASL command, potentially causing the agent to expose the full contents of that file to subprocesses. The cron job template additionally schedules this secrets-sourcing action to run every minute persistently.
MEDIUM asl-api.sh sources entire secrets file rather than scoping to required variables -15 ▶
When executed directly (not sourced), asl-api.sh runs 'source ~/.config/secrets/api-keys.env 2>/dev/null' which imports all variables from the user's secrets file into the shell environment. Only ASL_PI_IP and ASL_API_KEY are needed; sourcing the full file exposes AWS keys, API tokens, and other credentials to child processes spawned by the script.
LOW watch command has no default timeout — can loop indefinitely -10 ▶
The 'watch' subcommand in asl-tool.py polls the ASL node at a configurable interval with no default value for --max-seconds. If the agent invokes this command without specifying a timeout (e.g., in response to 'monitor my node'), it will run forever, holding a connection and consuming resources until the process is killed externally.
LOW Personal contact node aliases leak amateur radio network topology -5 ▶
asl-node-aliases.json maps human-readable names to specific AllStar node numbers, including named contacts ('doug': '67098', 'kf8drj': '67098') and club affiliations ('sun city west radio club': '63916'). This exposes the author's personal radio network relationships and could be used to identify and target specific nodes.
INFO Skill designed for specific ham radio infrastructure with personal callsign embedded 0 ▶
The skill is authored by KJ5IRQ (matching the slug kj5irq) and contains references to the author's personal node (637050), personal contacts, and personal Tailscale IP. The skill appears legitimate for its stated purpose but is highly personalized, which increases the likelihood of accidental credential routing to the author's infrastructure if default values are used.