Api Monitor Dashboard
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: api-monitor-dashboard Version: 1.0.0 The `monitor.sh` script contains a critical shell injection vulnerability in the `add` command, where the `$URL` variable is expanded inside double quotes (`jq ". += [\"$URL\"]"`), allowing for arbitrary command execution if a malicious URL is provided. Additionally, the script dynamically generates a Node.js server (`server.js`) that lacks input validation and contains logic errors (e.g., the `status` command looks for files in `data/*.json` that the server never creates). While these are severe security flaws, they appear to be unintentional programming errors rather than deliberate malware.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The tool can repeatedly contact any endpoint the user adds and can display endpoint/status data through a local web dashboard.
The generated server repeatedly fetches user-configured URLs and exposes a dashboard on port 3000. This is expected for an API monitor, but users should understand it will make recurring network requests and may expose monitoring results locally.
const res = await fetch(url); ... setInterval(monitor, 60000); ... }).listen(3000);
Only add endpoints you intend to monitor, avoid embedding secrets in URLs, and consider binding the dashboard to localhost or using a firewall if running on a shared network.
The skill may not work unless Node.js and jq are already installed, even though the registry metadata does not declare those requirements.
The script depends on Node.js and jq, while the registry requirements list no required binaries and there is no install spec. This under-declaration can cause unexpected setup failures or unclear runtime assumptions.
if ! command -v node &> /dev/null; then ... cat endpoints.json | jq ". += [\"$URL\"]"
Install and verify Node.js and jq yourself before use, or update the skill metadata to declare these dependencies.
A user might rely on alerting or history that the provided artifacts do not actually provide.
These features are advertised in the documentation, but the provided monitor.sh only creates a basic in-memory dashboard and does not implement notification channels, persistent history, or recovery detection.
- Email/Slack notifications - Historical data - Auto-recovery detection
Do not depend on this skill for production alerting unless the missing notification and persistence features are implemented and reviewed.