Web Monitor
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears purpose-aligned for website monitoring, but users should notice that it makes web requests, stores monitoring history locally, can run on a schedule, and can send alerts to webhooks.
Before installing, decide whether you are comfortable with this skill fetching the URLs you configure, keeping snapshots and history under ~/.web-monitor, and optionally sending notifications to webhook services. Use scheduled checks and webhooks only when you intentionally want ongoing monitoring and external alerts.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may fetch any URL the user asks it to monitor, from the user's local environment.
The skill relies on local command execution and outbound web requests to user-specified URLs, which is central to the monitoring purpose but gives the agent a broad web-fetching capability.
Uses curl (via subprocess) to fetch pages
Only monitor URLs you trust and intend to check from this environment; avoid internal, private, or token-bearing URLs unless you understand the exposure.
Page contents and change history may remain on disk, including any sensitive information present in monitored pages.
The tool persists monitor state, snapshots, screenshots, and change history locally, so monitored page content can be retained and reused in later checks or reports.
Stores all data in ~/.web-monitor/ (or the directory set by WEB_MONITOR_DIR).
Use a dedicated data directory if needed, review stored monitor data periodically, and avoid monitoring sensitive pages unless local retention is acceptable.
Change summaries or alert details may be sent to third-party services, and webhook URLs themselves may act like secrets.
The skill can send notifications to external webhook endpoints when the user configures them, which is expected for alerts but creates an outbound data path.
Webhooks to Slack, Discord, or any endpoint
Use only webhook endpoints you control, treat webhook URLs as credentials, and avoid sending sensitive monitored content to shared channels.
If scheduled, the monitor can keep making network checks and reporting changes without a new manual command each time.
The examples show how to set up recurring checks, including an agent turn that runs the monitor periodically. This is normal for monitoring but creates ongoing background activity if enabled.
"schedule": { "kind": "cron", "expr": "0 */6 * * *" }Enable scheduled checks only intentionally, choose an appropriate interval, and remove or pause the schedule when monitoring is no longer needed.
Users have less external context for verifying the origin or maintenance history of the included script.
The registry metadata does not provide an external source or homepage, which limits provenance context, although no remote installer or hidden download behavior is shown.
Source: unknown; Homepage: none
Install only if you trust this registry package and review the included script/version before using long-running monitors.