ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

asclaude-monitor

v1.0.0

Monitors system resources, manages scheduled tasks, tracks background jobs, and sends proactive alerts to ensure stable automated workflows in OpenClaw.

0· 22·0 current·0 all-time
bySherman Schulist@miaoxingjun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described purpose (monitor system resources, cron tasks, sub-agent tracking) matches the included scripts which check disk usage and call 'openclaw cron list' and 'openclaw gateway status'. However the package metadata does not declare that the 'openclaw' CLI is required, and the README/SKILL.md claim proactive push notifications (e.g., Feishu) though no code or env vars implement that. These are inconsistencies but not evidence of malicious intent.
Instruction Scope
SKILL.md simply instructs the user to run the two Python scripts. The scripts operate locally: they read ~/.openclaw/workspace for disk stats and invoke 'openclaw' subcommands via subprocess.run. They do not exfiltrate data or contact external endpoints. The discrepancy is that SKILL.md promises alerting/push integrations which are not implemented in the included scripts.
Install Mechanism
No install spec (instruction-only with small included scripts). Nothing is downloaded or written during installation. Risk from install mechanism is low.
Credentials
The skill declares no required environment variables or credentials, and the scripts do not access secrets. However, they do rely on an external 'openclaw' binary and a workspace path (~/.openclaw/workspace) that are not declared in the metadata; the omission reduces transparency and should be corrected.
Persistence & Privilege
always is false and the skill does not request persistent or system-wide privileges, nor does it modify other skills or global agent configs. It is user-invocable only, which is appropriate for its functionality.
What to consider before installing
This skill appears small and mostly benign, but take these precautions before installing or running it: 1) The scripts call the 'openclaw' CLI and reference ~/.openclaw/workspace but the metadata doesn't declare that dependency—ensure you trust and have the 'openclaw' binary on PATH. 2) SKILL.md/README claim push notifications (Feishu/chat) but no push code or credentials are present; if you need that feature ask the author for implementation or a secure webhook setup. 3) The Python files use subprocess.run to invoke 'openclaw'—review the scripts yourself and run them in a sandbox or restricted environment first. 4) If you plan to run regularly, request that the author update metadata to list required binaries and document any network or credential requirements. These steps will reduce risk and clarify intent.

Like a lobster shell, security has layers — review code before you run it.

latestvk973bmxf1k7hdjq00m29c5p8pn848050

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments