Analysis
v1.0.0Run deep system health checks across workspace, config, skills, and integrations with prioritized findings and remediation.
⭐ 2· 1.2k·12 current·13 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description ('system health checks' across workspace, config, skills, integrations) match the checks and remediation content: it legitimately inspects files, git history, sessions, cron, services, and integration tokens. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope
Instructions explicitly tell the agent to read many sensitive files (e.g., ~/.ssh, memory/, .env, git history, keychain references), run local commands (grep, find, stat, git, curl, pgrep) and include remediation scripts that can change permissions, move/delete/archive files, restart services, kill sessions, and recommend force-pushing git history. This is within the stated diagnostic purpose, but the remediation templates are potentially destructive and should not be executed without explicit user approval or dry-run safeguards.
Install Mechanism
Instruction-only skill with no install spec and no downloaded code — lowest install risk.
Credentials
The skill requests no environment variables or external credentials, but its checks reference many sensitive local configurations and third-party tokens (Cloudflare, Hetzner, bot tokens). Access to those files and the ability to perform authenticated API checks is appropriate for a diagnostic tool, but it means the agent will encounter secrets if present — treat findings carefully and avoid automatic exfiltration or transmission.
Persistence & Privilege
The skill is not always-enabled and does not request persistent platform privileges. However, tracking.md suggests optional scheduled analysis and writing to memory/health-status.md; combined with remediation scripts, enabling autonomous runs or heartbeat-based checks could let it perform repeated modifications. Require explicit opt-in before scheduling or allowing auto-fix actions.
Assessment
This skill is coherent with its stated purpose and doesn't pull external code, but it inspects sensitive local files and includes remediation scripts that can modify or delete data (chmod, mv, git filter-branch/force-push, restart services, kill sessions, write to keychain). Before installing or running it: (1) run in read-only or dry-run mode first, (2) back up repositories and important files, (3) never allow automatic 'auto-fix' actions without explicit approval, (4) do not enable scheduled/heartbeat runs unless you trust the configured behavior, and (5) review any suggested credential rotation or force-push procedures with caution (these are destructive). If you want higher assurance, ask the skill author for a non-destructive dry-run mode and explicit prompts before any remediation step.Like a lobster shell, security has layers — review code before you run it.
latestvk97fpqkymtssm6519wcv94ceh981146v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.