ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hostcheck

v1.0.0

Free host health check for OpenClaw deployments. Check system status, updates, security settings, and provide recommendations. No paid tools required.

0· 67·0 current·0 all-time
by@bwtomekk-bit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the checks listed (uptime, updates, SSH, UFW, backups, OpenClaw status). Requesting no credentials and having no install spec is reasonable for a read-only host check. However, a host health check will necessarily need local command access (apt, journalctl, ufw, rsync, etc.), which the SKILL.md does not explicitly declare as required binaries or required privilege levels.
!
Instruction Scope
The SKILL.md describes checks and example commands but is vague about which exact commands the agent will run and which files/paths it will read. It references 'journalctl --user -u trading-*', a service name unrelated to the generic host-check purpose (appears to be a leftover or template artifact). That vagueness grants the agent broad discretion to read logs and run privileged commands unless constrained at runtime.
Install Mechanism
There is no install spec and no code files; this lowers risk because nothing is written to disk by the skill itself.
Credentials
No environment variables or credentials are requested, which is proportionate. However, the skill implies the use of sudo and access to system logs/configs; the skill does not state this explicitly or recommend minimum privilege levels, so it may silently require elevated access when actually run.
Persistence & Privilege
always:false and no persistence or config writes are requested. The skill does not request permanent host presence or modify other skills.
What to consider before installing
This skill broadly matches a host-health purpose but is vague about what it will actually run on your system and where it came from. Before installing or invoking it: 1) Ask the publisher/source and prefer skills with a homepage or repo you can inspect. 2) Request a concrete list of commands and file paths the skill will read (e.g., /etc/ssh/sshd_config, ufw status, apt list --upgradable). 3) Verify whether it needs sudo; avoid granting persistent sudo. 4) Ask why it references 'journalctl --user -u trading-*' and remove or replace unrelated service names. 5) Test on a non-production host first. If you cannot get a clear command list and source, treat the skill cautiously and do not give it elevated privileges or full autonomous execution rights.

Like a lobster shell, security has layers — review code before you run it.

latestvk978hmk6yszy4amarwrq02s8qd83b3gp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖥️ Clawdis

Comments