Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Observability Lgtm
v1.2.0Set up a full local LGTM observability stack (Loki + Grafana + Tempo + Prometheus + Alloy) for FastAPI apps. One Docker Compose, one Python import, unified d...
⭐ 0· 436·1 current·1 all-time
byNissan Dookeran@nissan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, required binaries (docker, docker-compose), included Docker Compose and a FastAPI Python library align with the stated goal of a local LGTM stack. However, docker-compose references an Alloy config at ./config/alloy/config.alloy which is not present in the provided file manifest — this will cause the stack to fail unless the file is added. Also the SKILL.md copy commands use a placeholder SKILL_DIR which is not defined; the user must adapt that when copying files.
Instruction Scope
Runtime instructions stay within the stated purpose (copy files into a workspace, start docker compose, install Python deps, instrument FastAPI, register apps). Minor scope issues: SKILL.md states 'no outbound network calls' while docker compose up will pull container images from registries (network outbound required). The instructions assume certain directories exist (e.g., config/prometheus/targets) and use a SKILL_DIR placeholder; these are usability mismatches rather than malicious behavior.
Install Mechanism
There is no separate install spec (instruction-only), which reduces risk. The stack relies on official container images (grafana, prom, loki, tempo, alloy) pulled by docker compose; that requires outbound network access to Docker registries. No arbitrary remote download URLs or extract operations are present in the skill bundle itself.
Credentials
The skill does not request secrets or credentials. The included Python code optionally reads OPENCLAW_LOG_DIR and OTLP_ENDPOINT (both optional and defaulted) but these are not required inputs. No unrelated credentials or config paths are requested.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges. It writes files into the user workspace (projects/observability) and the register_app.sh writes JSON to the local config/prometheus/targets directory — both are expected for this functionality. It does not modify other skill configs or request long-term platform presence.
What to consider before installing
This skill largely does what it says: it gives you a local Grafana+Prometheus+Loki+Tempo stack and a small Python helper to instrument FastAPI apps. Before installing, check these operational issues: 1) The docker-compose references ./config/alloy/config.alloy but that file is not present in the package — you must supply or remove the Alloy service to avoid startup failure. 2) The SKILL.md claims 'no outbound network calls' but docker compose up will pull container images from registries (ensure your machine can fetch Docker images). 3) The copy example uses SKILL_DIR as a placeholder; adapt it to the actual skill path when copying files. 4) Grafana is configured to allow anonymous Admin access for local dev — this is convenient but exposes an admin UI on the host network port (3000); ensure your machine firewall/networking is configured appropriately if you're on an untrusted network. 5) The register_app.sh writes targets into the local prometheus targets directory (intended behavior) — ensure file permissions allow writing and that the ./config/prometheus/targets directory exists. If you want to proceed: add or provide the missing Alloy config, confirm Docker can pull images, and review the included docker-compose.yml and Python logging paths to ensure they match your desired workspace layout.Like a lobster shell, security has layers — review code before you run it.
latestvk971vs7kmzgyajdj21fv9mb57s81wjf4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binsdocker, docker-compose