ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Uptime Monitoring with Encrypted Energy - Know the second your OpenClaw agent goes silent

v0.2.4

Know the second your OpenClaw agent goes silent. Free hosted heartbeat monitor — every-minute pings, public status page, and email alerts when pings stop.

0· 24·0 current·0 all-time
byJohn Marbach@jmarbach

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jmarbach/encryptedenergy-uptime.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Uptime Monitoring with Encrypted Energy - Know the second your OpenClaw agent goes silent" (jmarbach/encryptedenergy-uptime) from ClawHub.
Skill page: https://clawhub.ai/jmarbach/encryptedenergy-uptime
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: ENCRYPTED_ENERGY_API_KEY
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install jmarbach/encryptedenergy-uptime

ClawHub CLI

Package manager switcher

npx clawhub@latest install encryptedenergy-uptime
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the implementation: the script posts local openclaw health/status JSON to encryptedenergy.com using a per-agent API key. Requiring an ENCRYPTED_ENERGY_API_KEY is coherent with an external hosted heartbeat service.
!
Instruction Scope
SKILL.md instructs installing a crontab entry that embeds the API key in the crontab line and states 'pure bash + curl', but the script calls the local openclaw CLI and jq. The script collects and reshapes many status fields (host name/platform, channel tokenSource, session token-usage metrics, last errors, etc.) and posts them to the vendor. That generally fits an uptime monitor, but some of those fields (e.g., tokenSource, host name) may reveal sensitive operational details. The SKILL.md and script do limit scope to CLI output only, but the crontab approach exposes the key in a persistent file and may make the token available in the job environment — consider the local-exposure implications.
Install Mechanism
Instruction-only skill with a small shipped shell script; no installer or remote downloads. Risk from installation is low because nothing is fetched or extracted at install time.
!
Credentials
Declared requirement is a single ENCRYPTED_ENERGY_API_KEY which is appropriate, but the script also respects an override ENCRYPTED_ENERGY_PING_URL (not declared in requires.env). The SKILL.md claims 'pure bash + curl' but the script actually requires jq and the openclaw CLI (SKILL.md mentions the latter via PATH guidance but not jq). Asking for one API key is proportionate, but the script will send multiple runtime-derived fields (including tokenSource and host/platform) that might be more disclosure than strictly needed for 'uptime'.
Persistence & Privilege
always is false; skill is instruction-only and does not request persistent elevated privileges or modify other skills. Autonomous invocation remains allowed (default), which is normal for skills but increases blast radius only if combined with other issues.
What to consider before installing
This skill appears to implement a legitimate heartbeat monitor, but take these precautions before installing: 1) Review and trust encryptedenergy.com and its privacy/security policy — the script posts local gateway metadata (host name/platform), channel tokenSource, errors, and token-usage metrics. 2) Avoid placing long-lived secrets directly in crontab lines if you have concerns — prefer a restricted environment file, a systemd timer with protected env, or another secret store so the API key isn't plainly visible or accidentally exposed. 3) Ensure jq and openclaw CLI are present and accept that the script will read CLI-produced status; inspect the actual output of `openclaw status --json` on your system to confirm no sensitive secrets are present. 4) If you need to restrict what is leaked, modify the script to remove fields you don't want sent (e.g., tokenSource or host) or ask the vendor for a minimal ping-only endpoint. 5) Note there is an undocumented ENCRYPTED_ENERGY_PING_URL override — if you don't set it that value defaults to the vendor but you should audit any environment overrides before use. If these concerns are acceptable and you trust the service, the skill is usable; otherwise treat it as potentially leaking more operational metadata than strictly necessary.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Clawdis
EnvENCRYPTED_ENERGY_API_KEY
Primary envENCRYPTED_ENERGY_API_KEY
alertsvk970h701xgx06hxpztqwx62y5x85nz9shealthvk970h701xgx06hxpztqwx62y5x85nz9slatestvk977daryxhk4eymsf2gt6hzb2h85mzszmonitoringvk970h701xgx06hxpztqwx62y5x85nz9sobservabilityvk970h701xgx06hxpztqwx62y5x85nz9sstatus-pagevk970h701xgx06hxpztqwx62y5x85nz9suptimevk970h701xgx06hxpztqwx62y5x85nz9s
24downloads
0stars
6versions
Updated 1h ago
v0.2.4
MIT-0
John Marbach@jmarbach
alertshealthlatestmonitoringobservabilitystatus-pageuptime
Download

Encrypted Energy Uptime

Hosted dead man's switch for your OpenClaw agent. A unix cron runs ping.sh once a minute, which posts your gateway's /health payload to encryptedenergy.com. If pings stop arriving for the configured threshold (default 10 minutes), the user gets an email alert and the public status page flips to DOWN.

Setup

  1. Sign up at https://encryptedenergy.com.

  2. Register an agent at https://encryptedenergy.com/agents/new — that page reveals a per-agent bearer token (the API key).

  3. Schedule the ping via the user's system crontab. The gateway is not involved at run time — ping.sh is pure bash + curl, so don't route it through openclaw cron add:

    ( crontab -l 2>/dev/null; echo "* * * * * PATH=$HOME/.npm-global/bin:/usr/local/bin:/usr/bin:/bin ENCRYPTED_ENERGY_API_KEY=<paste-token> bash {baseDir}/scripts/ping.sh >/dev/null 2>&1" ) | crontab -

    The PATH=$HOME/.npm-global/bin:… prefix is required — ping.sh calls openclaw health --json and openclaw status --json, and crontab's default PATH won't find the openclaw binary. Adjust the PATH if openclaw lives elsewhere (run which openclaw to confirm).

The cron pings http://localhost:18789/health and POSTs the result to https://encryptedenergy.com/api/v1/ping every minute. Wait ~70 seconds and the agent's status page will flip to UP.

Do not

  • Do not modify the health data before sending
  • Do not send health pings more frequently than every minute
  • Do not expose the gateway port to the internet
  • Do not route ping.sh through openclaw cron add — it dispatches via an agent harness and bills LLM tokens for what is just a curl POST

Comments

Loading comments...