ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nex Healthcheck

v1.0.0

Multi-service health and uptime monitoring dashboard for websites, APIs, infrastructure, and applications across multiple systems. Monitor website availabili...

1· 21·0 current·0 all-time
byNex AI@nexaiguy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements the advertised health checks (HTTP, TCP, DNS, SSL, Docker, systemd, SSH commands, disk, ping) and the required binaries (python3, dig, ssh) are relevant. However the registry claims Telegram creds are required; in the code Telegram is optional (defaults to empty) which is an inconsistency between metadata and implementation.
Instruction Scope
SKILL.md and CLI instruct only the expected monitoring actions. It also documents running arbitrary commands remotely via the ssh_cmd check and supports running docker/systemctl on remote hosts via SSH — this is within the tool's purpose but increases risk because SSH checks execute arbitrary remote commands. There are also small implementation bugs (e.g., check_ssl_cert accesses ssock after the socket context, which is a code-quality/functional issue).
Install Mechanism
There is no remote download install; setup.sh is included and idempotently creates a data directory, initializes a local SQLite DB, installs a wrapper in ~/.local/bin, and optionally installs a user systemd timer. All files are local and transparent; no external archives or downloads are fetched during install.
!
Credentials
Registry metadata lists HEALTHCHECK_TELEGRAM_TOKEN and HEALTHCHECK_TELEGRAM_CHAT as required env vars, but the code treats these as optional (defaults to empty) and will simply skip alerts if not provided. Marking them required in the registry is disproportionate/confusing. Other requested env vars (HEALTHCHECK_DATA) are reasonable. No unrelated cloud secrets or extra credentials are requested.
Persistence & Privilege
The skill does not force persistent inclusion or elevate privileges. setup.sh creates a CLI wrapper in ~/.local/bin and can (with explicit user consent) install a per-user systemd timer to run checks periodically — this is persistent but user-controlled. The skill does not alter other skills or system-wide credentials.
What to consider before installing
This package appears to be what it claims (a local health-check tool), but review and cautious deployment are advised: - Metadata mismatch: the registry marks Telegram env vars as required, but the code treats them as optional. Do not put production secrets into environments unless you intend to enable Telegram alerts. - SSH remote checks: the tool supports executing arbitrary commands on remote machines via SSH (ssh_cmd, remote docker/systemd). Only use that feature with hosts you control and with properly restricted SSH keys; untrusted targets can run unexpected commands. - Systemd timer: setup.sh can optionally install a user systemd timer to run checks periodically. Accept that only if you want a persistent background job; the installer prompts before enabling it. - Inspect and test before production: run setup.sh in a non-production or containerized environment first, inspect the created files (~/.nex-healthcheck, ~/.local/bin/nex-healthcheck), and verify behavior. - Code quality issues: there are minor bugs (e.g., SSL certificate check references the socket object after the with block) — consider reviewing/fixing or running tests before relying on expiry alerts. If you plan to use this skill: review the source (already included), avoid setting global/privileged tokens unnecessarily, restrict SSH access, and run the installer interactively so you can decline the systemd timer if undesired.

Like a lobster shell, security has layers — review code before you run it.

latestvk979z8q6hnst4ebq7vd3han9y58492ek

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💓 Clawdis
Binspython3, dig, ssh
EnvHEALTHCHECK_TELEGRAM_TOKEN, HEALTHCHECK_TELEGRAM_CHAT

Comments