Rpi Cpu Monitor

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill appears to match its Raspberry Pi temperature-alert purpose, but it creates a repeating monitor and uses a local OpenClaw token to send alerts.

Before using this skill, review the script path, temperature threshold, alert channel, and the hardcoded /home/weiye/.openclaw/gateway-token path. Add the cron job only if you want ongoing background monitoring, and remove the crontab/OpenClaw cron entry when you no longer need it.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

No VirusTotal findings for this skill version.

Malicious: 0
Suspicious: 0
Harmless: 0
Undetected: 66

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

Medium

What this means

The scheduled script can act with the local OpenClaw gateway token to send alert messages; if copied without adjustment, it may fail or use an unintended local token path.

Why it was flagged

The monitor reads a local OpenClaw gateway token to authenticate its alert request. This is visible in the script and used for the local alert flow, but it is privileged account material and the path is hardcoded.

Skill content

-H "Authorization: Bearer $(cat /home/weiye/.openclaw/gateway-token 2>/dev/null)"

Recommendation

Confirm the token path is correct for your device, protect the token file permissions, and consider using a clearly documented configurable path or scoped token.

#ASI10: Rogue Agents

Low

What this means

The monitor can keep running in the background and send alerts after the initial setup.

Why it was flagged

The skill instructs the user to install a recurring cron job that runs every 35 minutes. This persistence is disclosed and central to monitoring, but it continues until the user removes it.

Skill content

crontab -e ... 添加: */35 * * * * /path/to/scripts/cpu-temp-monitor.sh

Recommendation

Only add the cron job if you want continuous monitoring, and keep a note of the crontab/OpenClaw cron entry so you can disable it later.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

The skill may not work unless the Raspberry Pi temperature command, curl, and OpenClaw gateway token are available.

Why it was flagged

The included script relies on local commands and the OpenClaw localhost API, while the registry metadata declares no required binaries or config paths. This is under-declared but consistent with the stated monitoring and alerting purpose.

Skill content

TEMP=$(vcgencmd measure_temp 2>/dev/null ...); ... curl -s -X POST "http://localhost:3000/api/sessions/agent:main:main/message"

Recommendation

Verify the required local tools and paths before installing the scheduled monitor.