ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Beszel Check

Monitor home lab servers via Beszel (PocketBase).

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 2.1k · 1 current installs · 1 all-time installs
by@karakuscem
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The index.js script legitimately implements PocketBase calls to authenticate and read system/container records, which matches the 'Beszel (PocketBase) monitoring' description. However, the skill metadata/registry claims no required environment variables while the code requires BESZEL_USER and BESZEL_PASS (and optionally BESZEL_HOST). That mismatch between declared requirements and actual code is inconsistent.
!
Instruction Scope
SKILL.md instructs running: source ~/.zshrc && ~/clawd/skills/beszel/index.js ... Sourcing a user's shell RC will execute whatever is in that file (possibly running commands or exporting secrets). The instructions do not tell the user to set BESZEL_USER/BESZEL_PASS, so the only way to provide credentials appears implicit via sourced rc — this is risky and opaque.
Install Mechanism
There is no external install/download step and no packages pulled from remote hosts. The skill ships a single Node script that will be executed in-place; that is a low-risk install mechanism compared to remote downloads.
!
Credentials
The code requires BESZEL_USER and BESZEL_PASS (and supports BESZEL_HOST) but the skill metadata/registry lists no required env vars or primary credential. Requiring user credentials is reasonable for authenticating to PocketBase, but failing to declare them is a mismatch. Also BESZEL_HOST is configurable and could point to external hosts if set — that capability should be declared and the user warned.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and has no special persistence behavior declared.
What to consider before installing
This skill's code does what its description says (authenticates to a PocketBase instance and reads 'systems' and 'container_stats'), but it has important mismatches you should address before installing: - The script requires BESZEL_USER and BESZEL_PASS (and optionally BESZEL_HOST), but the registry and SKILL.md do not declare these. Verify you understand where you'll store/provide those credentials. - SKILL.md tells you to 'source ~/.zshrc' before running. Sourcing your shell rc will execute any commands in that file and may expose secrets. Instead, prefer explicitly exporting only the BESZEL_* variables or running the script with a controlled environment. - BESZEL_HOST defaults to http://127.0.0.1:8090, but if you set BESZEL_HOST to a remote URL the script will send credentials and request data to that host. Ensure BESZEL_HOST points to a trusted, local instance before running. - There is a small code bug/inconsistency: the script does "const https = require('http')" (variable name suggests HTTPS while module is http). This isn't directly malicious but indicates limited review; inspect the code yourself or ask the author to fix/clarify. Recommendations: 1) Ask the publisher for a README that explicitly lists required env vars and network behavior, and for a homepage/source repository to verify provenance. 2) Review the index.js content yourself (or have someone you trust do so). Confirm BESZEL_HOST is safe and that the endpoints used are the PocketBase instance you expect. 3) Avoid sourcing your full shell rc; set BESZEL_USER/BESZEL_PASS in a minimal environment for the command or use a dedicated credential store. If you cannot verify these points or the publisher's reputation, treat this skill as untrusted until clarified.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97b3qj2mjnc17xtddqghzgtv1804h0n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binsnode

SKILL.md

Beszel Monitoring

Check the status of your local servers.

Usage

  • beszel status - Get status of all systems
  • beszel containers - List top containers by CPU usage

Commands

# Get status
source ~/.zshrc && ~/clawd/skills/beszel/index.js status

# Get container stats
source ~/.zshrc && ~/clawd/skills/beszel/index.js containers

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…