System Monitor Pro
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its monitoring purpose, but its remote SSH option builds a shell command from an unvalidated host value and disables SSH host verification.
This appears to be a real monitoring skill, but use it cautiously. Local monitoring is comparatively low risk; avoid remote monitoring unless you trust the host string and SSH setup, and do not enable the HEARTBEAT.md recurring monitor unless you want ongoing background checks.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted or mistaken remote host value could cause unintended local shell behavior, and disabling host verification makes it easier to connect to an impersonated remote machine.
The remote host argument comes from the command line and is inserted directly into a shell command; SSH host-key verification is also disabled.
const remoteHost = args.includes('--remote') ? args[args.indexOf('--remote') + 1] : null; ... return run(`ssh -o ConnectTimeout=3 -o StrictHostKeyChecking=no ${remoteHost} "${escaped}"`);Avoid using --remote with untrusted or copied host strings until fixed. The maintainer should validate the host, reject option-like or shell-metacharacter input, use spawn/execFile with an argument array instead of shell concatenation, and keep SSH host-key checking enabled.
If remote mode is used, the skill runs monitoring commands under the user's SSH privileges on the target host.
Remote monitoring intentionally uses the user's existing SSH access to another machine.
`--remote user@host` — Monitor a remote machine via SSH; `SSH access for remote monitoring (optional)`
Use remote mode only for machines you control, with least-privilege SSH accounts, and review the target host before running.
Periodic monitoring can repeatedly run local status commands and notify the user, which is useful but should not be enabled silently.
The skill documents an optional recurring monitoring setup that would keep running after initial installation if the user adds it.
Add to your HEARTBEAT.md for periodic monitoring: `System Monitor (every 30 min)` ... `Run: node ~/.openclaw/workspace/skills/system-monitor-pro/monitor.js --alert-only`
Only add the HEARTBEAT.md entry deliberately, keep it local unless remote monitoring is necessary, and remove it when no longer wanted.