Back to skill
Skillv1.3.0
ClawScan security
Pg Game Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 28, 2026, 10:18 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- This package is a coherent Prometheus+Grafana monitoring solution for JVM+MySQL, but there are notable mismatches, sloppy/incomplete code and installer behavior that warrant manual review before running (especially as root).
- Guidance
- Plain-language checklist before installing: - Do not run the installer as-is on production systems without review. monitor_install.sh runs as root, downloads/extracts binaries, installs packages and enables systemd services. - Verify required environment variables yourself: PUSHGATEWAY and FEISHU_WEBHOOK_URL are required by the scripts even though the registry metadata lists none. Set and protect FEISHU_WEBHOOK_URL (store it with restricted permissions or use Ansible Vault as suggested). - Inspect and, if needed, correct the scripts: the included game_agent.py file appears truncated at the end and contains at least one typo ('loggin'), which could cause runtime errors. Verify the full script before deployment. - Confirm external URLs and versions (Prometheus/Alertmanager/Pushgateway/Grafana) in the installer are valid and acceptable for your environment; the script uses public downloads and a Grafana enterprise RPM. - Prefer deploying into an isolated/test environment first to validate behavior (service startup, resource use, permissions). Check that jstat/jcmd are available and the agent user has permission to call them. - Secure secrets and files: ensure /opt/monitor/feishu/webhook.env and /opt/game_monitor/env.conf have restrictive permissions (600), and consider running Python services in a virtualenv or container to avoid polluting system packages. - Network / firewall: restrict access to Prometheus/Grafana/Pushgateway ports to your admin IPs only. If you want, I can: (1) point out the exact lines in game_agent.py and monitor_install.sh that look buggy or risky, (2) produce a safe checklist or hardened systemd/unit file changes, or (3) extract a minimal subset of files you can run in a sandboxed container for testing.
Review Dimensions
- Purpose & Capability
- concernThe skill's name/description match the included files (agent, installer, webhook, dashboards). However the registry metadata claims no required environment variables or credentials while SKILL.md and the scripts clearly require at least PUSHGATEWAY and FEISHU_WEBHOOK_URL (and optionally MySQL credentials). That metadata mismatch is a material coherence issue: the skill will not function without secrets/config the registry says it doesn't need.
- Instruction Scope
- noteSKILL.md and the included docs instruct the agent/operator to write env files, create systemd units, run the monitor_install.sh installer, and inspect logs (/opt/game_monitor/env.conf, /var/log/game_monitor/). Those actions are within the stated monitoring scope. The troubleshooting steps instruct reading local config/logs and calling local HTTP endpoints (Pushgateway/Prometheus), which is expected. No instructions explicitly exfiltrate secrets to unknown third parties — alert forwarding goes to a user-supplied Feishu webhook. Still, the docs/instructions give the installer broad discretion (systemctl, creating services, writing configs), so it should be run only on hosts you control.
- Install Mechanism
- noteThere is no formal registry install spec, but the included monitor_install.sh is a full installer that requires root, downloads multiple binaries (GitHub releases and Grafana RPM from dl.grafana.com), extracts them to /opt/monitor, installs system packages and pip packages, writes systemd units, and starts services. Download hosts are well-known but the script runs as root and writes/extracts code and services — moderate risk; review the script before executing. Also some version numbers look odd (e.g., Prometheus '3.5.1' in the script) and should be verified.
- Credentials
- concernThe SKILL.md and scripts legitimately require configuration env vars: PUSHGATEWAY (required), FEISHU_WEBHOOK_URL (required for webhook), optional MYSQL_USER/PASSWORD, PUSH_INTERVAL, etc. These envs are proportional to the monitoring function. The problem is the registry metadata declares 'none' for required env vars/credentials, which is incorrect. Additional concerns: the installer writes FEISHU_WEBHOOK_URL into /opt/monitor/feishu/webhook.env (monitor_install.sh does not set restrictive file permissions); deploy.md recommends perms 600, but that is not enforced by the script. The Ansible playbook calls pip globally (no virtualenv), which can alter system Python packages.
- Persistence & Privilege
- noteThe installer creates persistent systemd services (prometheus, alertmanager, pushgateway, grafana-server, feishu) and enables them. This is expected for a monitoring stack, but it requires root and will create long-lived services running on the host. The skill is not set to always:true in the registry. It does not attempt to modify other skills' configs, but it does change system service state and network listeners — run only on machines you accept to persistently host monitoring.