ClawHub

Mcp Health Monitor

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed service-monitoring skill that runs local health checks, can restart configured services, and optionally sends failure alerts to Telegram.

Install only if you want a recurring local monitor that may restart the services listed in the script. Review and edit the SERVICES array first, set labels to none for services you do not want restarted, and avoid putting sensitive infrastructure names in alerts sent through Telegram.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill clearly instructs users to run shell commands, copy executable scripts, and configure scheduled execution, yet it declares no permissions or equivalent capability disclosure. That mismatch can prevent proper review and informed consent, increasing the chance that users execute automation with broader system effects than expected.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly advertises automatic restart of failed services but does not prominently warn users that the skill can stop and start local services on their behalf. In an automation context, that omission matters because users may deploy it as a background monitor without appreciating that it can alter system state, disrupt workloads, or restart the wrong service if misconfigured.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to configure Telegram bot credentials for failure alerts but does not clearly disclose that service names, health/failure status, and possibly operational metadata will be sent to a third-party messaging platform. This creates a privacy and operational security risk because monitoring data may leave the local environment unexpectedly.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill sends incident details to Telegram, a third-party service, but does not present an explicit privacy warning about transmitting service names, failure states, timestamps, and potentially sensitive operational metadata off-host. In monitoring contexts, even seemingly minor telemetry can reveal internal infrastructure and outage patterns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal