Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Unraid
v1.0.1Query and monitor Unraid servers via the GraphQL API. Use when the user asks to 'check Unraid', 'monitor Unraid', 'Unraid API', 'get Unraid status', 'check disk temperatures', 'read Unraid logs', 'list Unraid shares', 'Unraid array status', 'Unraid containers', 'Unraid VMs', or mentions Unraid system monitoring, disk health, parity checks, or server status.
⭐ 0· 2.5k·8 current·8 all-time
by@jmagar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, SKILL.md, and scripts are coherent with an Unraid monitoring skill (GraphQL queries for system, disks, containers, logs). However the registry metadata claims no required env vars or binaries while the scripts clearly depend on UNRAID_URL, UNRAID_API_KEY, curl, and jq — an inconsistency between declared requirements and actual capability.
Instruction Scope
SKILL.md instructs use of the helper scripts and to export UNRAID_URL and UNRAID_API_KEY. The included scripts (dashboard.sh, unraid-query.sh, examples) read a configuration file ($HOME/.clawdbot/credentials/unraid/config.json), call the Unraid endpoint, and write output/debug files (e.g., ${NAME}_debug.json and $HOME/clawd/memory/bank/unraid-inventory.md). The skill's runtime instructions and code therefore access and create files under the user's home and may persist query results — this scope is broader than the registry metadata indicates and should be validated.
Install Mechanism
No install spec is provided (instruction-only with bundled scripts). Nothing is downloaded or written during an install step beyond the included files, so install-time risk is low.
Credentials
Requesting an Unraid API key (Viewer role) is appropriate for a monitoring skill, but the registry lists no required env vars while the code expects UNRAID_URL and UNRAID_API_KEY. The dashboard script also reads $HOME/.clawdbot/credentials/unraid/config.json (which may contain multiple server entries and API keys) — the skill implicitly expects access to stored credentials but did not declare that in metadata. Additionally scripts expect curl and jq but metadata lists no required binaries.
Persistence & Privilege
The skill does not request forced always-on or autonomously modify other skills. However it writes files into the user's home (debug JSON and an inventory at $HOME/clawd/memory/bank/unraid-inventory.md) and reads a credentials config under $HOME/.clawdbot; this is normal for a local CLI tool but is persistent and could expose collected data if you run it in a shared environment. The skill also uses curl -k (ignoring TLS verification) which may reduce transport security.
What to consider before installing
This skill looks like a legitimate Unraid monitoring helper, but the declared metadata is incomplete and the scripts perform filesystem I/O in your home directory and expect environment variables and helper binaries. Before installing or running: 1) Inspect $HOME/.clawdbot/credentials/unraid/config.json (if it exists) to ensure it only contains servers/API keys you intend to expose to this tool. 2) Be aware the scripts save debug and report files (e.g., ${NAME}_debug.json and $HOME/clawd/memory/bank/unraid-inventory.md) — run in an isolated directory or container if you don’t want these persisted. 3) Verify you are willing to provide an Unraid API key (give the Viewer role only) and that keys stored for other services are not stored in the same config. 4) The helper uses curl -k (skips TLS verification) — consider editing scripts to remove -k or ensure you use valid TLS certs or a private network. 5) Ensure jq and curl are available on the host. If these gaps (missing metadata about env vars, binaries, and config paths) are acceptable and you trust the source, the scripts are coherent for their stated monitoring purpose; otherwise ask the publisher to correct metadata or provide a version that documents and limits file access.Like a lobster shell, security has layers — review code before you run it.
latestvk9737j0y5j8hrt31eyaqn0bjhd7zswkj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.