agent-metrics-monitor
PassAudited by ClawScan on May 1, 2026.
Overview
No malicious or materially suspicious behavior is evidenced; this appears to be a self-contained metrics and alerting helper, with minor notes about publisher provenance and retained metric labels.
This skill appears safe for its stated monitoring purpose. Before installing, confirm you trust the publisher, and when using it, keep metric labels and error categories free of secrets or personal data.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users have less external context for verifying the publisher or maintenance history.
The registry metadata does not provide an external source repository or homepage, reducing provenance assurance, although the package appears self-contained and has no declared dependencies or install scripts.
Source: unknown; Homepage: none
Install only if you trust the registry publisher or have reviewed the included source for your use case.
Sensitive values accidentally used as metric labels or error types could be retained in memory and included in metrics exports.
The skill stores metric time-series data and labels in memory for a bounded retention period, which is expected for monitoring but can retain sensitive content if callers put secrets or user data into labels.
this.maxPoints = options.maxPoints || 10000; this.series = new Map(); ... this.retentionMs = options.retentionMs || 24 * 60 * 60 * 1000; ... points.push({ timestamp: Date.now(), value, labels });Use non-sensitive operation names, labels, and error categories; avoid raw prompts, tokens, personal data, or full exception payloads in metrics.