ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Skill Observability

v0.1.0

Provides tools to monitor OpenClaw health by reporting recent errors and estimating API usage costs over the last 24 hours.

0· 1.4k·5 current·5 all-time
by@erain
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/README/PRD and SKILL.md describe cost reporting and recent error retrieval, which matches the code: it calls the OpenClaw CLI for session history and reads journalctl for errors. However, the package/registry metadata does not declare required binaries (the code expects the 'openclaw' CLI and 'journalctl' to be present). This is an omission (sloppy manifest) but not necessarily malicious.
Instruction Scope
SKILL.md defines two tools (get_cost_report and get_recent_errors) and the implementation follows those instructions. The code confines itself to: 1) running `openclaw sessions list --json` and aggregating token counts, and 2) running `journalctl --user -u openclaw-gateway` and filtering lines for errors/warnings. The scope is narrow and consistent with observability.
Install Mechanism
There is no install spec; this is an instruction+code skill that executes local commands at runtime. No remote downloads or package installs are performed from unknown URLs, which lowers installation risk.
Credentials
The skill requests no environment variables or credentials (manifest lists none). The code also does not read env vars. However, it executes local commands and returns raw log lines and session metadata — these outputs can contain sensitive information. The lack of declared required binaries (openclaw, journalctl) is a proportionality/manifest omission to be aware of.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system configuration, and does not persist credentials. It only runs local commands when invoked.
Assessment
This skill appears to implement exactly what it says: cost estimates from OpenClaw sessions and recent error lines from the OpenClaw system unit. Before installing: 1) Verify the host has the 'openclaw' CLI and systemd/journalctl available — the manifest did not declare these required binaries. 2) Be aware that returned system logs and session metadata may include sensitive data (IDs, stack traces, or secrets logged by other components); avoid sending these outputs to public channels or non-trusted chat endpoints. 3) If you deploy to production, test in a safe environment first and review the GitHub repository (package.json points to a repo) and the author (erain). 4) If you want stricter behavior, request the author add explicit required-binaries to the skill manifest and/or add sanitization of log lines to redact secrets before returning them.

Like a lobster shell, security has layers — review code before you run it.

latestvk978dthbp0ynztgbw0wnda33c180sygd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments