ClawHub

Monitoring

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only monitoring guide with normal observability examples, but users should secure telemetry, ports, logs, and secrets before using the examples in production.

Safe to install as a guide, but do not copy the examples directly into production without hardening them. Pin package versions when needed, protect Grafana and alerting secrets, restrict monitoring ports to trusted networks, and redact or minimize PII, tokens, headers, request bodies, stack traces, and logs sent to monitoring vendors.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guidance encourages enabling Sentry and OpenTelemetry features that can capture user context, stack traces, breadcrumbs, request metadata, and outgoing HTTP/database telemetry, but it does not warn that these signals may contain sensitive data or be sent to third-party SaaS backends. In a monitoring skill, this omission is materially relevant because users are likely to follow the examples directly, increasing the risk of accidental collection, export, and retention of PII, secrets, or regulated data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The compose example exposes Prometheus, Grafana, and Alertmanager on host ports and configures Grafana admin credentials via an environment variable, while also describing host-level collection through node_exporter mounts of /proc, /sys, and /. In a monitoring skill this is functionally relevant, but without explicit warnings or hardening guidance it can lead users to deploy internet-reachable observability services and broad host visibility, increasing the risk of information disclosure and unauthorized admin access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to integrate third-party monitoring and error-tracking services such as Sentry, UptimeRobot, Healthchecks.io, Telegram, and Slack, which can receive application metadata, operational telemetry, error details, and potentially sensitive runtime data. While this is common for observability tooling, the document provides no privacy, data-handling, or data-minimization warning, so users may unknowingly export production information to external services.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal