Back to skill
Skillv2.0.0
ClawScan security
Apm Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 7:07 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and instructions match its stated purpose (a lightweight APM/monitoring CLI stub); it reads/writes only a local data directory and does not request credentials or perform network activity.
- Guidance
- This skill appears to be a lightweight, local APM/monitoring CLI stub that logs data under ~/.local/share/apm-monitor (or APM_MONITOR_DIR if set). It does not ask for credentials or perform network calls. Before installing: (1) confirm you are comfortable with the skill creating files in your home directory (history.log, data.log), (2) review the included shell scripts if you want to be certain they match your security requirements (they are short and readable), and (3) note the naming inconsistencies (Pinpoint vs apm-monitor) and unimplemented parts (e.g., TODO in run) — this suggests the project may be incomplete. If you need a production-grade APM, prefer the official upstream project rather than this minimal toolkit.
Review Dimensions
- Purpose & Capability
- okName/description (APM CLI) align with the included scripts (apm-monitor / pinpoint helper). The included scripts implement help, simple data operations, and local logging — consistent with a minimal monitoring/analysis toolkit. Minor mismatch: SKILL.md and scripts use the name 'Pinpoint' and reference both 'pinpoint-apm' and 'apm-monitor' upstream projects, which is likely a naming/copying inconsistency but not a functional concern.
- Instruction Scope
- okSKILL.md instructs running local commands (apm-monitor help/run/etc.). The scripts only read/write files under APM_MONITOR_DIR (default ~/.local/share/apm-monitor) and do not access other system paths, environment variables (except the one for data dir), or remote endpoints. No instructions ask the agent to collect or transmit data externally.
- Install Mechanism
- okNo install spec — instruction-only skill with small shell scripts included. Nothing is downloaded or installed from external URLs at runtime, so install risk is low.
- Credentials
- okThe skill requests no environment variables or credentials. It optionally uses APM_MONITOR_DIR to locate its data directory (declared in SKILL.md). No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request persistent elevated privileges or attempt to modify other skills or global agent settings. It will create and write files only within its own data directory.