ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Security Monitor

Real-time security monitoring for Clawdbot. Detects intrusions, unusual API calls, credential usage patterns, and alerts on breaches.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
4 · 5.6k · 39 current installs · 40 all-time installs
by@chandrasekar-r
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description (real-time security monitoring) matches the code's activities (auth log checks, port/process/docker checks, file-change detection). The capability set (tail logs, ss/netstat, ps, docker) is consistent with monitoring.
!
Instruction Scope
SKILL.md simply instructs running the provided monitor script but does not disclose that the script will read /var/log/auth.log, /root/clawd/skills/.env, /root/clawd/.env and other root-owned paths, nor that it writes state and logs to /root/clawd/clawdbot-security. The code will therefore access sensitive system files and potential credentials even though the documentation doesn't call this out.
Install Mechanism
No install spec; this is instruction + included script. No network downloads or external package installs are performed by the skill itself (only Node built-ins and exec calls).
!
Credentials
Registry metadata declares no required env vars or credentials, but the script reads .env files under /root/clawd (potentially containing service credentials) and inspects auth/system logs. That is a mismatch: the skill will access sensitive configuration/credentials without declaring them or explaining why.
Persistence & Privilege
Skill does not request always:true and does not autonomously modify other skills. However, it writes state and log files under /root/clawd/clawdbot-security and will likely require elevated privileges (or access to root-owned paths) to function fully; the documentation doesn't mention run-as requirements.
What to consider before installing
This skill's code aligns with a monitoring purpose, but it reads system auth logs and project .env files under /root without declaring that access. Before installing: 1) Inspect the script yourself (the repository includes scripts/monitor.cjs) to confirm there are no network exfiltration calls — the current file logs locally and has no implemented external alerts, but it will expose contents of .env if present. 2) Understand that it writes logs/state to /root/clawd/clawdbot-security and may need to be run as root to access /var/log/auth.log and /root paths; run it in a sandbox or container if you cannot grant that access. 3) If you expect Telegram alerts, note the Telegram send is a TODO — no remote alerting is implemented. 4) If you want to proceed, consider limiting what .env files contain (remove high-value secrets), adjust watched paths to less-sensitive locations, or modify the script to require explicit credentials/configuration for any credential checks. 5) Prefer running only after code review or on a test instance; ask the publisher for an explanation of why the skill must read /root/clawd/skills/.env and for a threat model that justifies reading root-owned logs. If the author provides a version that only reads declared, documented paths (or documents required permissions), the assessment could move to benign.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
intrusion-detectionvk9793v7yg686k742k2rkz1strx7zypejlatestvk9793v7yg686k742k2rkz1strx7zypejmonitoringvk9793v7yg686k742k2rkz1strx7zypejrealtimevk9793v7yg686k742k2rkz1strx7zypejsecurityvk9793v7yg686k742k2rkz1strx7zypej

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Security Monitor Skill

When to use

Run continuous security monitoring to detect breaches, intrusions, and unusual activity on your Clawdbot deployment.

Setup

No external dependencies required. Runs as a background process.

How to

Start real-time monitoring

node skills/security-monitor/scripts/monitor.cjs --interval 60

Run in daemon mode (background)

node skills/security-monitor/scripts/monitor.cjs --daemon --interval 60

Monitor for specific threats

node skills/security-monitor/scripts/monitor.cjs --threats=credentials,ports,api-calls

What It Monitors

ThreatDetectionResponse
Brute force attacksFailed login detectionAlert + IP tracking
Port scanningRapid connection attemptsAlert
Process anomaliesUnexpected processesAlert
File changesUnauthorized modificationsAlert
Container healthDocker issuesAlert

Output

  • Console output (stdout)
  • JSON logs at /root/clawd/clawdbot-security/logs/alerts.log
  • Telegram alerts (configurable)

Daemon Mode

Use systemd or PM2 to keep monitoring active:

# With PM2
pm2 start monitor.cjs --name "clawdbot-security" -- --daemon --interval 60

Combined with Security Audit

Run audit first, then monitor continuously:

# One-time audit
node skills/security-audit/scripts/audit.cjs --full

# Continuous monitoring
node skills/security-monitor/scripts/monitor.cjs --daemon

Related skills

  • security-audit - One-time security scan (install separately)

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…