Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawhub Skill Infra Watchdog
v1.0.0Self-hosted infrastructure monitoring with local checks for HTTP, TCP, Docker, resources, SSL, DNS, Proxmox, and alerts via WhatsApp, Telegram, or Discord.
⭐ 0· 449·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and included code implement a local infrastructure monitor (HTTP, TCP, Docker, disk, memory, SSL, DNS, Proxmox) which is coherent with the stated purpose. However SKILL.md claims alerts via WhatsApp/Telegram/Discord but neither the manifest nor SKILL.md declare or describe how credentials/tokens/webhooks for those services are provided, which is an unexplained omission.
Instruction Scope
SKILL.md instructs use of an 'infra-watchdog' CLI (init, add-monitor, cron-install, etc.) but the package provides only a single watchdog.py and no install/packaging instructions to make a CLI available on PATH; that mismatch means the runtime instructions are incomplete. The instructions also point at a local config path (~/.openclaw/workspace/infra-watchdog-data/config.json) which the code uses — that part is consistent. Finally, the HTTP checker in code disables SSL verification (ssl.CERT_NONE), which is unexpected given the skill advertises SSL validity checks.
Install Mechanism
No install spec is provided (instruction-only + included Python script). This minimizes remote install risk but is also inconsistent with SKILL.md which expects a ready CLI. The code will be written to the agent bundle and can be executed locally; there is no external download URL or archive to review.
Credentials
The skill declares no required environment variables or primary credential, but its advertised alert channels (WhatsApp/Telegram/Discord) normally require API keys, phone numbers, webhooks, or third‑party services. The code/config shown does not explain where those credentials live or how they are secured. This mismatch could lead to unclear runtime behavior (attempts to reach external endpoints, prompting the user for secrets, or storing tokens locally without guidance).
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. The 'cron-install' command (documented) would create a periodic job if run, which is expected for a monitor but requires user consent. No indication that the skill modifies other skills or system-wide agent configurations.
What to consider before installing
This package appears to implement a local monitoring tool but has several gaps you should clarify before installing: (1) Where/how are WhatsApp/Telegram/Discord credentials or webhooks configured? Verify the code path used to send alerts and confirm you control any external endpoints. (2) SKILL.md expects an 'infra-watchdog' CLI, but there is no install/packaging step — decide how you'll install the Python script (virtualenv, symlink, packaging). (3) The HTTP check disables SSL verification — review whether SSL expiry checks are implemented separately and whether disabling verification is acceptable for your use. (4) Inspect the complete watchdog.py (including truncated parts) to confirm alert-sending code, any network endpoints contacted, and any file writes outside the documented data directory. (5) If you intend to run cron-install, test in a safe environment first. If you cannot review the full code, run the tool in an isolated VM or container and monitor outbound connections and file access before trusting it with production systems.Like a lobster shell, security has layers — review code before you run it.
latestvk9705x8rpw5208y1v86cvde9m181vyjk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.