Back to skill
Skillv1.0.0
ClawScan security
System Vigil · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 3:26 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (checking disk, memory, and CPU) and it does not request extra credentials or network access, though there are minor inconsistencies and the 'predictive' claim is overstated.
- Guidance
- This skill appears to do what it says: run the Python script to get a JSON health snapshot from df/free and /proc/loadavg. Before installing, consider: (1) the author/source is unknown—review the code yourself or run it in a sandbox/container; (2) the script uses static thresholds (not true predictive analytics), so adjust thresholds if needed; (3) the SKILL.md mentions uptime but the script doesn't call it—ensure your runtime has df and free available and that you run this on a Linux host; (4) if you need long-running monitoring or remote reporting, the skill currently does not send data anywhere (no network calls), so add a review step before extending it to transmit metrics.
Review Dimensions
- Purpose & Capability
- noteName/description match the behavior: the script reports disk, memory, and 15m load. Minor mismatch: SKILL.md/registry declare 'uptime' as a required binary but the code reads /proc/loadavg and never invokes uptime. The README's claim of 'Predictive Status' is optimistic — the script uses static threshold checks rather than prediction models.
- Instruction Scope
- okSKILL.md instructs the agent to run the included Python script and shows the JSON output format. The instructions do not ask the agent to read unrelated files, access credentials, or send data externally; the script only calls df and free and reads /proc/loadavg and prints JSON to stdout.
- Install Mechanism
- okNo install spec is provided (instruction-only invocation with bundled code). There is no external download or package installation; package.json only provides a convenience script entry pointing to check.py.
- Credentials
- okThe skill requests no environment variables or credentials. The only resources accessed are standard local system utilities (/proc/loadavg, df, free). This is proportional to a local system-health checker.
- Persistence & Privilege
- okThe skill does not request persistent/always-on privileges, does not modify system or other skills' configs, and is user-invocable only. Autonomous invocation is allowed by platform default but is not itself unusual here.