Lerwee Alert Inspection
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for generating monitoring inspection reports, but it needs access to a monitoring API credential and saves detailed host/alert data locally.
Use this skill only if you trust the configured Lerwee monitoring endpoint and are comfortable giving the agent a monitoring API secret. Protect the generated Markdown, JSON, and Excel files because they may contain infrastructure details such as hostnames, IP addresses, and alert data. Prefer HTTPS for the API URL and run the temporary export step in a trusted local environment.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may let the agent read host and alert information from the configured monitoring system.
The skill requires a monitoring API URL and secret even though registry metadata declares no required env vars or primary credential. The credential use is disclosed and purpose-aligned, but users should recognize it grants access to monitoring data.
需要以下环境变量: - `LWJK_API_URL` - `LWJK_API_SECRET` 默认从 `skills/alert-inspection/.env` 读取。
Configure a least-privilege API secret, verify the endpoint is the intended Lerwee monitoring backend, and update metadata/installation documentation to declare the required credential.
Monitoring data could be exposed on the local network if the backend is accessed over unencrypted HTTP.
The bundled default API URL uses plain HTTP to a private IP. If used as-is with a real secret, authenticated monitoring traffic and returned host/alert data may travel without TLS protection.
LWJK_API_URL=http://192.168.1.79/backend_api LWJK_API_SECRET=
Prefer an HTTPS endpoint where available, or only use the HTTP endpoint on a trusted internal network with an appropriate low-privilege secret.
If untrusted values are inserted into the temporary script or the /tmp file is tampered with on a shared machine, unintended code could run under the user's account.
The workflow deliberately creates and executes a temporary Python export script. This is part of the stated Excel generation process, but placeholder substitution and a fixed /tmp path should be handled carefully.
cp skills/alert-inspection/references/export_excel_template.py /tmp/alert_inspection_export.py ... 然后执行: ```bash python3 /tmp/alert_inspection_export.py ```
Use safe quoting/serialization for placeholder values, prefer unique secure temporary files, and run the skill only in a trusted local environment.
Generated report JSON files may contain detailed backend records such as host metadata, IPs, alert descriptions, and other raw fields.
The normalized host and problem records retain the full raw API objects, which are then used for the generated JSON report outputs. This may store more monitoring detail than the visible Markdown/Excel summaries.
"raw": host, ... "raw": problem,
Store generated reports securely, avoid sharing the JSON files broadly, and consider removing raw fields if only the standardized report columns are needed.