ClawHub

Boot Kpi Analyzer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a purpose-aligned KPI log analyzer, but it uses local commands, fixed local log paths, and an internal IP endpoint that users should review before use.

This skill looks safe for its stated KPI-analysis purpose if used in the intended internal environment. Before installing, confirm that the fixed /home/lixiang data paths and the private 10.122.86.46:9999 service are appropriate for your system, and review any local command before allowing the agent to run it.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

The agent may run local curl commands against an internal service and display internal KPI session data.

Why it was flagged

The skill explicitly directs use of a shell command to query a private IP endpoint. This is disclosed and tied to KPI analysis, but it gives the agent local command and internal-network access for this workflow.

Skill content
web_fetch 无法访问私有 IP,必须使用 `execute_command` 运行 `curl` 命令。 ... curl -s http://10.122.86.46:9999/api/latest
Recommendation

Use it only in the intended internal environment, review the exact curl command before execution, and avoid broadening the URL or shell arguments unless explicitly needed.

#
ASI06: Memory and Context Poisoning
Low
What this means

Internal log/report contents may be brought into the conversation or generated reports.

Why it was flagged

The script prints local KPI summary content verbatim into the agent-visible output. That is expected for a log analyzer, but local reports may contain internal build IDs, errors, service names, or other sensitive diagnostic text.

Skill content
with open(summary_path, errors='replace') as f:
            print(f.read())
Recommendation

Run the skill only on intended KPI data, avoid using logs that contain secrets, and treat log/report text as data rather than instructions.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Users have limited external provenance information for verifying who maintains the skill or where the script came from.

Why it was flagged

The artifacts do not provide a public source or homepage for provenance review. No malicious behavior is evidenced, but users have less context for trusting the included script.

Skill content
Source: unknown; Homepage: none
Recommendation

Install only if you trust the registry owner or have reviewed the provided script and intended environment.