Skillv1.0.0

ClawScan security

Nas system monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 27, 2026, 4:22 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description and runtime instructions promise network/service monitoring and webhook alerts, but the included code only performs basic local checks (disk/memory/CPU temp) and does not implement notification logic or use the advertised environment variables—this mismatch suggests the package is incomplete or inconsistently documented and needs clarification before use.
Guidance: This package appears to be incomplete or inconsistently documented rather than overtly malicious. Before installing or running it: 1) Ask the publisher/maintainer to provide the missing requirements.txt and to clarify which env vars (e.g., FEISHU_WEBHOOK, DISCORD_WEBHOOK) are required. 2) Inspect or request the implementation of _send_notifications — do not provide webhook secrets until you can verify how and where alerts are posted. 3) If you run it, do so on a non-production/isolated system first—the script reads local system files and calls df (expected for monitoring) but currently only prints alerts (no external network calls). 4) Prefer to use a vetted release or verify the GitHub repository history/commits; if notification delivery is added in future changes, re-review that code to ensure it only posts to intended webhook endpoints and doesn't exfiltrate unrelated data.

Review Dimensions

Purpose & Capability: concernThe README/SKILL.md advertises disk, network (bandwidth/DDoS), service (Docker/process) monitoring and multi-channel alerts (Feishu/Discord/Telegram). monitor.py implements only disk usage, memory, and CPU temperature checks and does not implement network/service monitoring or alert delivery. The SKILL.md references a requirements.txt and FEISHU_WEBHOOK but the registry metadata declares no required env vars and the repo does not include requirements.txt—these are inconsistent with the stated purpose.
Instruction Scope: concernSKILL.md instructs users to run pip install -r requirements.txt and to set FEISHU_WEBHOOK, but there is no requirements.txt in the manifest and monitor.py does not read FEISHU_WEBHOOK or any webhook env var. The instructions therefore promise external communication that the code does not perform. The code does read local system files (/proc/meminfo, /sys/class/thermal/...) and runs df via subprocess, which is appropriate for local monitoring but should be expected and is limited to local system state.
Install Mechanism: okThere is no formal install spec (instruction-only skill). This is low-risk from an install perspective. The SKILL.md's pip install suggestion references a missing requirements.txt, which is an inconsistency but not an install-time red flag (no external downloads or archive extraction are specified).
Credentials: concernSKILL.md asks users to export FEISHU_WEBHOOK but the code does not access that environment variable or any credentials. The registry metadata lists no required env vars. Asking for a webhook secret in the docs without the code using it is disproportionate and confusing; if notification code is added later it would legitimately need webhook URLs, so the mismatch should be resolved before trusting the skill.
Persistence & Privilege: okThe skill does not request persistent/always-on privileges; flags show always:false and normal user-invocation/autonomous invocation defaults. The code does not modify other skills or system-wide agent settings. No persistence/privilege escalation is indicated.