ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Monitor

v1.0.2

Create monitors for anything. User defines what to check, skill handles scheduling and alerts.

2· 1.5k·12 current·12 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the declared requirements: only curl is required for HTTP checks, other tools are optional for specific check types. Storing monitors and logs under ~/monitor is consistent with a local monitor skill.
Instruction Scope
SKILL.md stays within monitoring scope but explicitly allows running user-provided commands (custom checks) and will post alert payloads to user-supplied webhooks or Pushover. These behaviors are expected for a monitor but grant the agent the ability to execute arbitrary commands you provide and to transmit alert data to external endpoints — review any custom commands and webhook targets.
Install Mechanism
Instruction-only skill with no install step and no code files; nothing is downloaded or written at install time beyond the runtime-created ~/monitor directory. Low install risk.
Credentials
No required credentials. Optional env vars (PUSHOVER_TOKEN, PUSHOVER_USER) are declared and used only for Pushover alerts. No unexpected secrets or unrelated credentials are requested.
Persistence & Privilege
Skill is not force-installed (always:false) but will create and write to ~/monitor/monitors.json, config.json, and logs. The agent may autonomously run scheduled checks (platform default); this is expected for a monitoring skill but increases the impact of any misconfiguration (e.g., a webhook that accepts sensitive data).
Assessment
Before installing, review and control these points: - Inspect monitor definitions (~/monitor/monitors.json) and avoid storing secrets (API keys, auth headers) in plain JSON. Use environment variables or secure stores where possible. - Be cautious with 'custom' checks: they run arbitrary commands you supply. Do not add untrusted commands that could access or transmit sensitive data. - Only provide webhook URLs or channels you trust. Alert payloads may include status, timestamps, and any logged output; a misconfigured webhook can leak information. - Limit granted access (SSH, Docker) to only the hosts/services you intend to monitor; the skill asks for explicit permission but will act on whatever is listed in 'requires'. - Set filesystem permissions on ~/monitor so only the intended user can read logs and configs (e.g., chmod 700 ~/monitor). - If you need stronger isolation, run this agent under a restricted user account or in an environment with limited network access, and review scheduled intervals to avoid resource or network abuse. Overall: the skill appears coherent for its stated purpose, but take care around custom commands, webhook targets, and any sensitive data that could be captured in logs or alert payloads.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e447kjpr39qdhg8gwp8n4v5818hbp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📡 Clawdis
OSLinux · macOS · Windows
Binscurl

Comments