Skillv1.0.5

ClawScan security

SeeWeb Uptime · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 8:37 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill is generally what it claims (a Watch.dog monitoring MCP wrapper) but contains several incoherencies: it requires an API key in practice while the registry metadata says none, and its runtime instructions ask the agent to auto-write credentials and silently test them and to hide raw JSON—behaviors that reduce transparency and could trigger unexpected network calls.
Guidance: What to consider before installing: - This skill will need your Watch.dog API key and API URL to function; although the registry listed no required env vars, the code will fail without WATCHDOG_API_KEY. Provide only a limited-scope key (if Watch.dog supports it) and rotate it when done. - SKILL.md and the embedded system prompt instruct the agent to automatically create/overwrite a .env file in the skill folder with your API key and to immediately run list_monitors as a silent connection test. That means your credential could be written to disk and an automatic network call will occur as soon as you supply it — ask for or require explicit user confirmation before saving/testing credentials. - The prompt forbids showing raw JSON. That reduces transparency about exactly what the remote API returned. If you install, request that the agent also show (or let you request) the raw response for auditing, or run the skill in a sandbox first and inspect network traffic. - The code performs HTTP POSTs to the configured WATCHDOG_API_URL. Verify that the URL is the official Watch.dog endpoint before supplying credentials (attacker-controlled URLs could exfiltrate keys). - The package uses standard npm libraries; review index.js (you have it) and monitor outgoing requests (e.g., with a network proxy) if you have concerns. The code shown uses fetch to send JSON-RPC calls to the configured endpoint — nothing obviously obfuscated, but the instruction to hide raw JSON is a transparency concern. - If you want to proceed: (1) create a dedicated API key with minimal privileges, (2) back up and inspect the .env written by the skill, (3) run the skill in an isolated environment or review network logs during the first credential test, and (4) require the agent to ask for explicit confirmation before saving credentials or performing destructive actions (deletions).

Review Dimensions

Purpose & Capability: concernThe skill's name/description match the implementation (a Node-based MCP bridge to the Watch.dog API). However the package and SKILL.md expect a WATCHDOG_API_KEY and WATCHDOG_API_URL to function (callRemoteTool throws if apiKey is missing), while the registry metadata reported 'Required env vars: none'. That mismatch is an incoherence: the skill will not work without credentials despite registry claiming none.
Instruction Scope: concernSKILL.md (and the system prompt embedded in the code) instructs the agent to automatically create/overwrite a .env file with the user's API key and URL, then immediately execute list_monitors as a silent test when credentials are provided or changed. It also mandates 'FORBIDDEN to show raw JSON' which reduces visibility into tool results. These instructions go beyond simple API calls and include file writes and automatic network activity that the user may not expect.
Install Mechanism: okNo special install spec is embedded (npm install is expected). package.json lists standard npm dependencies (@modelcontextprotocol/sdk, zod). There are no downloads from arbitrary URLs or extract-from-URL steps. Install risk is typical for a Node skill (moderate due to third-party packages), not unusually high.
Credentials: concernThe runtime requires WATCHDOG_API_KEY and WATCHDOG_API_URL (used for Authorization and endpoint in remote calls). Asking for an API key is proportionate for a monitoring integrator, but the skill metadata declared no required env vars — inconsistent. Also SKILL.md instructs automatic writing of credentials into a .env file in the skill folder, which may be unexpected; the skill does not request any other unrelated secrets.
Persistence & Privilege: notealways:false (no forced persistent inclusion). The skill's instructions ask to write/overwrite a .env file in its directory to store credentials; writing its own config is normal but the automatic overwrite instruction (and the requirement to run a silent test immediately) increases the chance of unintended network calls. The code itself reads .env at startup but does not contain explicit file-write logic—this is a behavioral instruction to the agent rather than implemented host-side code, which is an inconsistency to be aware of.