Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Health Check
v1.0.1每日安全检查。检查 OpenClaw Gateway、磁盘空间、内存使用等系统健康状态。触发时机:cron 定时任务或手动调用。
⭐ 0· 335·1 current·1 all-time
by@axelhu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The described checks (gateway status, disk, memory, recent logs, generate report) are coherent with a 'Health Check' skill. However the SKILL.md expects the 'openclaw' CLI and access to system logs and to a Feishu messaging channel, while the manifest declares no required binaries, env vars, or config paths — this is an inconsistency (the skill will require system tooling and messaging credentials to function).
Instruction Scope
The runtime instructions instruct the agent to run shell commands (openclaw gateway status, df -h, free -h) and to 'check logs' but do not specify which log files or safe filters. They also mandate writing reports to data/exec-logs/... and sending the full report to Feishu. The combination lets the agent read arbitrary local logs and send their contents externally; the lack of explicit log paths and data filtering is a scope creep / data-exfiltration risk if sensitive logs are present.
Install Mechanism
This is instruction-only with no install steps or downloaded code, so nothing is written to disk by an installer. That minimizes install-time risks. The risk surface is runtime (shell commands and messaging).
Credentials
The instructions require sending messages to Feishu (a network endpoint) and likely need credentials or a webhook, but the skill declares no required environment variables or primary credential. That omission is problematic: either the agent must already have Feishu credentials elsewhere (not documented), or the skill will fail or implicitly rely on unspecified secrets. Also the skill reads system logs (sensitive data) yet provides no guidance on which credentials/permissions are needed to access them safely.
Persistence & Privilege
always is false and the skill does not request persistent presence or modify other skills' configuration. Writing reports to data/exec-logs is an expected behavior for a health-check tool, but users should confirm the directory is appropriate and writable.
What to consider before installing
Before installing or enabling this skill, confirm the following: 1) Ensure the host has the 'openclaw' CLI available (or update the manifest to declare it). 2) Decide exactly which log files will be inspected and restrict the checks to those paths to avoid leaking sensitive data; update SKILL.md with explicit log paths and filters. 3) Provide documented Feishu delivery credentials (webhook or API token) in the skill manifest or agent config; do not rely on unspecified/global secrets. 4) Review the report contents and test in an isolated environment so no production secrets are accidentally sent to chat. 5) Ensure the agent process has the minimum filesystem/network permissions required and that data/exec-logs is a suitable location. If you cannot confirm these points, treat the skill as potentially exfiltrating sensitive logs and avoid enabling it until the manifest and instructions are corrected.Like a lobster shell, security has layers — review code before you run it.
latestvk976c029n62e718vp5zdm2hxk9835cz7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.