Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Server Health Agent
v1.0.0Monitor VPS and server health metrics including real-time CPU usage, RAM utilization, disk usage, and Docker container status. Useful for DevOps monitoring,...
⭐ 0· 925·7 current·8 all-time
bySanjay Jain@sanjay-gthb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description match the code: the skill runs read-only system commands (top, free, df, docker) and Node.js fallbacks to produce server metrics. One minor mismatch: the SKILL metadata/requirements list no required binaries even though the code expects standard system utilities (top, free, df, docker). This is likely an omission, not malicious, but means the platform should ensure those binaries exist.
Instruction Scope
SKILL.md and skill.js limit actions to collecting system metrics and printing structured JSON. The instructions do not reference unrelated files, undisclosed env vars, external endpoints, or 'use your judgment' style broad data collection. The skill logs and returns only local metrics (including Docker container names/status), which is consistent with its stated purpose.
Install Mechanism
There is no automated install step (instruction-only skill with included code). No downloads from arbitrary URLs or archive extraction occur. The README suggests copying the folder into the workspace and restarting OpenClaw, which is standard for local skills.
Credentials
The skill requests no environment variables or external credentials. It does require shell access to execute system commands, which is proportionate to gathering host metrics. The only implicit requirement is access to the Docker socket/CLI if Docker container status is desired — this is expected for the feature.
Persistence & Privilege
The skill is not marked always:true and is user-invocable only. However, it requires shell execution permission (declared in SKILL.md) and will therefore run system commands with whatever privileges the agent process has. That privilege is necessary for its function but means it will see anything the agent user can read (including containers if Docker socket is available).
Assessment
This skill appears to do what it says: run read-only system commands to return CPU, RAM, disk, and Docker status. Before installing, consider: 1) The agent must have shell access — run the agent with least privilege so the skill only sees what you want it to (avoid running the agent as root if unnecessary). 2) If you do not want container names/status exposed, ensure the agent cannot access the Docker socket/CLI. 3) The SKILL metadata doesn't list required binaries (top, free, df, docker) — check your host has compatible utilities or rely on Node.js fallbacks. 4) Because the code uses child_process.exec, review the code and keep it under source control so you can detect future modifications. If you are comfortable with those points, the skill is internally consistent with its stated purpose.Like a lobster shell, security has layers — review code before you run it.
latestvk975myf4gyt86a250r1b0bhjp181hyqelatest monitoring devops server health vps dockervk975myf4gyt86a250r1b0bhjp181hyqemonitoring, devops, server, health, docker, vpsvk975myf4gyt86a250r1b0bhjp181hyqe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.