ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claw Reliability

v1.0.6

Agent observability — monitors tool invocations, LLM calls, token usage, costs, and anomalies with pluggable alerts and a real-time dashboard.

0· 86·0 current·0 all-time
by@fiddyrod
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's code matches the described purpose: it parses OpenClaw session transcripts, stores metrics in a local SQLite DB, runs anomaly checks, and can send alerts to webhooks and run a local dashboard. However the registry metadata / SKILL.md declare a required config path (agents.defaults.workspace) and use a {baseDir} placeholder, while the code actually reads monitoring.openclaw_state_dir (default ~/.openclaw) and uses its own internal base path. That mismatch between declared config requirements and what the code uses is an incoherence worth noting.
!
Instruction Scope
The SKILL.md instructions are narrowly scoped to starting the monitor, viewing metrics, configuring alerts, and launching the dashboard. The instructions explicitly state the skill will read gateway events and session transcripts (sensitive data) and store metrics locally, which the parser code does. Two things to watch: (1) the SKILL.md uses a {baseDir} placeholder which is not referenced in the code paths (the monitor uses its package base path and config.yaml), and (2) the dashboard frontend loads React/Babel from public CDNs — a runtime supply-chain / privacy risk if you expose the dashboard or run in a high-security environment. Alerts to external webhooks only occur if you configure them, but sanitizer is heuristic and may not catch all secrets.
Install Mechanism
No network install script or remote downloads in an install spec. Files are bundled with the skill and the runtime requires python3; dependencies are listed in requirements.txt. There is no automatic fetching of arbitrary code during install. The dashboard's frontend, however, references public CDNs at runtime (client-side), which is a separate supply-chain consideration described in the README.
Credentials
The skill requests no environment variables and does not demand unrelated cloud credentials. It does read user OpenClaw state (default ~/.openclaw) and will write a local SQLite DB and logs under the skill directory (data/metrics.db, data/alerts.log). Those accesses are proportional to monitoring, but they involve sensitive transcripts and tool arguments — the README and sanitizer claim redaction, but redaction is pattern-based and not guaranteed to catch every secret.
Persistence & Privilege
The skill does not set always:true and does not request elevated platform privileges. It writes its own artifacts (DB, logs, config.yaml) in its directory and reads from the user's OpenClaw state directory. It does not modify other skills or system-wide agent settings. Writing webhook URLs into config.yaml (configure-alerts) is expected behavior for a notifier.
What to consider before installing
What to check before installing: - Understand data access: this skill reads OpenClaw session transcripts (default ~/.openclaw) which may contain sensitive tool arguments, tokens, or file paths. That behavior is expected for an observability tool, but be sure you want that data read and stored locally. - Config vs. instructions mismatch: SKILL.md references a {baseDir} placeholder and the registry metadata mentions agents.defaults.workspace, but the code reads monitoring.openclaw_state_dir (config.yaml) and uses the skill's package path as base. Before running, open config.yaml and confirm monitoring.openclaw_state_dir and monitoring.db_path point to the locations you expect. - External endpoints: alerts are only sent when you explicitly configure a webhook (e.g., Discord). If you configure a webhook, the skill will send sanitized alert text — sanitization is heuristic (regex-based) and can miss secrets or custom token formats. Only send alerts to trusted endpoints and consider reviewing or extending scripts/alerts/sanitizer.py to match your secret formats. - Dashboard CDN risk: the frontend loads React/Babel from public CDNs. If you operate in an air-gapped or high-security environment, serve frontend assets locally or avoid launching the dashboard. The README already recommends this. - Run in a controlled environment first: consider running the monitor in a VM or isolated environment, inspect data written to data/metrics.db and data/alerts.log, and run monitor.py summary/tools/costs to validate behavior before enabling any external alert destinations. - Small code inconsistencies: there are duplicate modules (scripts/ and scripts/scripts/) and a minor mismatch between declared registry config and code. These look like packaging quirks rather than malicious behavior, but you may want to inspect the source files in the bundle if you are cautious. If you want higher assurance, ask the skill author for clarity on the intended mapping of {baseDir} / agents.defaults.workspace and for a way to run the parser in read-only mode (no writes) or to opt out of front-end CDN usage.

Like a lobster shell, security has layers — review code before you run it.

latestvk9790am1nyw3vefy5qpbkdce6h83ck9n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSLinux · macOS
Binspython3
Configagents.defaults.workspace

Comments