ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

System Monitor Pro

v1.0.0

Real-time OpenClaw system monitoring with beautiful terminal UI. CPU, memory, disk, GPU, Gateway, cron jobs, model quota, and multi-machine support. Works on...

0· 1.5k·15 current·15 all-time
by@dagangtj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the included monitor.js. The script collects CPU, memory, disk, GPU, uptime, cron/openclaw status and supports SSH remote monitoring — all expected for a system-monitoring skill. It calls OpenClaw CLI commands (openclaw gateway/cron) which is coherent with 'Gateway' and 'cron job' monitoring.
Instruction Scope
SKILL.md instructs running the bundled monitor.js with optional --remote/--json/--alert-only. The script runs local system commands (cat /proc, df, uptime, nvidia-smi, etc.) and, if --remote is used, executes commands over ssh. This is within scope for monitoring, but the script disables SSH host-key checking (-o StrictHostKeyChecking=no), which reduces SSH security (MITM risk) and is worth noting before using against remote hosts.
Install Mechanism
No install spec; the skill is instruction + a single Node.js script. No external downloads or packaged installers are performed by the skill itself.
Credentials
The skill declares no required env vars or credentials. It does implicitly rely on the system's ssh client and any SSH keys/config in the user's environment for remote monitoring, and on the presence of the OpenClaw CLI and Node.js. Those implicit dependencies are proportional to the claimed functionality.
Persistence & Privilege
always is false and the skill does not modify other skills or system configuration. It simply reads system state and prints output; it does not request elevated persistence or extra privileges.
Assessment
This skill appears to do what it says — a local/remote system monitor implemented as a Node script — but review a few items before installing/running: 1) The script uses your system ssh client and existing SSH keys for --remote; SSH is invoked with StrictHostKeyChecking=no which will accept new host keys automatically (MITM risk) — avoid using --remote with untrusted networks/hosts or modify the script to remove that option. 2) It runs many shell commands (cat /proc, openclaw CLI, nvidia-smi, etc.), so ensure you trust the script source before running it on sensitive systems. 3) If you plan to run it periodically (HEARTBEAT), run it under a restricted account or sandbox and verify the paths (skill directory) are correct. 4) The code has minor logic/formatting bugs (visual bar threshold uses cpu threshold for all bars) but nothing that indicates malicious intent. If you want higher assurance, request the publisher/source or run the script in a disposable VM/container first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aaw7mgs2g10mhndqn6eckr981ye9j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments