ClawHub
Back to skill

Security audit

Ai Monitor Pro

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a monitoring and incident-response playbook, but it needs review because broad prompts can lead to production-impacting commands and sensitive operational reporting without clear confirmation boundaries.

Install only if you want a human-reviewed operations playbook for monitoring, SLA reporting, incident triage, and related construction/ops reports. Do not let an agent execute the incident commands automatically in production; require explicit confirmation, verify host and service targets, start with read-only diagnostics, redact sensitive incident/customer data before Slack or Telegram notifications, and review the unsupported marketplace capability tags before enabling integrations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill content is materially misaligned with the stated product domain: it provides an instruction-only SRE methodology for IT/cloud reliability, while the manifest claims AI monitoring for construction sites and IT infrastructure. This can mislead users, downstream agents, or routing systems into invoking the wrong capability, causing unsafe operational decisions, failed task execution, or trust boundary violations in environments that expect construction-site monitoring expertise.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The documentation explicitly states the skill is not intended for construction sites, directly contradicting the surrounding skill context and claimed use case. This contradiction increases the risk of capability spoofing: users or orchestration systems may rely on the manifest-level description and deploy the skill in an inappropriate domain, leading to bad recommendations during safety- or operations-critical scenarios.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented functionality is materially different from the declared skill purpose: instead of construction-site and IT-infrastructure monitoring, it describes an OpenClaw agent operations platform with messaging, task orchestration, automation, and runbooks. This scope mismatch is dangerous because users may install a far more powerful control plane than expected, increasing the chance of unauthorized automation, data exposure, or operational abuse under a misleading label.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Agent-to-agent messaging and LLM-powered responses are not justified by the stated monitoring use case and introduce an unnecessary command-and-control surface. In this context, those features can enable prompt injection propagation, unintended autonomous actions, or leakage of operational data between agents without clear business need.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Task execution, workshop/Kanban, and team-management features go beyond passive monitoring and expand the skill into orchestration and workflow control. That broader capability set increases attack surface and the risk of misuse, especially when users expect a monitoring/dashboard tool rather than an execution platform.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Broad triggers such as incident-response phrases can activate during ordinary discussion, causing the skill to surface or potentially execute sensitive operational workflows unexpectedly. In a monitoring skill that contains restart, cleanup, rollback, and network-response instructions, accidental activation materially increases the chance of unsafe actions or misleading emergency guidance.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger set around SLA/uptime/availability is generic enough to overlap with normal conversation, making unintentional mode switches plausible. Because the skill mixes executive reporting with operational playbooks, accidental activation could expose sensitive incident context or prompt risky remediation steps in the wrong context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes destructive or high-impact commands such as service restarts, query termination, log vacuuming, pruning, rollback, and temporary file deletion, while framing them as ordered incident steps. In an agent setting, presenting these without strong warnings, preconditions, environment checks, and confirmation gates creates a meaningful risk of outage, data loss, or recovery actions being applied to the wrong host.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The skill describes sending alerts and client notifications through Telegram, Slack, status pages, and similar channels, but provides no warning about sharing operational, customer, or incident data externally. In monitoring and incident response, these notifications can contain sensitive service names, outage details, financial impact, or customer-impact data that may breach privacy or contractual boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file documents creation of systemd services, sudo/root execution, and hardcoded privileged paths, yet the installation section presents a simple startup flow without a prominent pre-install warning. This can mislead operators into deploying software that modifies persistent system services or uses elevated privileges, raising the risk of privilege misuse, persistence, and damage to host configuration.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example triggers are short, generic operational phrases like "дашборд", "инцидент", and "утренний отчёт", which can easily appear in normal conversation and cause unintended skill activation. In a monitoring/incident-response context, accidental invocation can expose infrastructure summaries, incident data, or cause unintended state-changing actions such as adding incidents or updating thresholds.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The document lists many command examples but does not specify what exact syntax activates the skill, what phrases should not activate it, or how to disambiguate quoted/example text from real commands. This ambiguity increases the chance of accidental or prompt-injected execution, especially in chat environments where users may paste logs, reports, or example phrases containing these commands.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrase set includes very generic activation terms such as incident-oriented commands that could plausibly overlap with ordinary user conversation in an ops chat. In a skill that appears to automate monitoring and incident workflows, ambiguous triggers can cause unintended activation, misclassification of user intent, or accidental execution of operational logic on free-form text.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The configuration examples use imperative wording like setting thresholds without any visible scoping, authentication, or target-boundary constraints. If the agent accepts these phrases directly, a user could accidentally or improperly alter monitoring thresholds for production services, suppress alerts, or create noisy alerting behavior that degrades incident response.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The quick-start exposes very broad trigger phrases such as 'фото-отчёт', 'дашборд', and 'инцидент' with no clear activation boundary, authentication step, or scoping constraints. In a chat-based agent, this can cause accidental invocation on ordinary user text and may lead the model to process sensitive operational or incident data in unintended contexts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.