Sunny Health Monitor

The skill's functionality matches its description, but it embeds a Discord webhook URL and uses user-specific absolute paths (reading OpenClaw cron/job state) without declaring those as required credentials or config — this could exfiltrate system and job details to an external endpoint.

This skill appears to do what it claims, but there are two red flags you should address before using it: 1) The script contains a hardcoded Discord webhook URL (effectively a credential). That webhook will receive the full health reports — potentially sensitive system and cron-job details. Treat that URL as a secret: replace it with your own webhook or require a configured env var (SYSTEM_HEALTH_WEBHOOK) rather than using a baked-in default, and rotate the webhook if the embedded URL is real. 2) The code reads absolute, user-specific paths (/Users/xufan65/.openclaw/...), including the OpenClaw cron jobs file; that may expose other skills' job definitions and internal state. Verify what data is present in those files and update the paths (or make them configurable) before running. Additional precautions: run the script in a sandboxed environment first, inspect the full monitor.cjs contents for any other hardcoded endpoints, and only authorize notifications to Discord channels/webhooks you control.