ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Test

v0.0.1

Deploy a lightweight status API that exposes your OpenClaw bot's runtime health, service connectivity, cron jobs, skills, system metrics, and more. Use when setting up a monitoring dashboard, health endpoint, or status page for an OpenClaw agent. Supports any services via config (HTTP checks, CLI commands, file checks). Zero dependencies — Node.js only.

0· 1.5k·0 current·0 all-time
by@suspect80

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for suspect80/bot-status-api-test.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Test" (suspect80/bot-status-api-test) from ClawHub.
Skill page: https://clawhub.ai/suspect80/bot-status-api-test
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install bot-status-api-test

ClawHub CLI

Package manager switcher

npx clawhub@latest install bot-status-api-test
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (a lightweight status API for an OpenClaw bot) is coherent with the capabilities described (health checks, system metrics, skills list). However the skill claims 'zero dependencies — Node.js only' and yet the package contains no server.js, collectors/, or config.example.json that the SKILL.md instructs you to copy, which is an inconsistency: required runtime files are missing from the bundle and the source/homepage is unknown.
!
Instruction Scope
Runtime instructions explicitly tell operators to read OpenClaw workspace files (heartbeat-state.json, cron/jobs.json), scan /proc for system metrics, grep processes to detect dev servers, and run shell commands for 'command' checks. Those actions access local system and agent internals and can expose sensitive data. The SKILL.md also references email unread counts (requiring mail clients/credentials) and Portainer (requiring API tokens) but does not limit or explain how credentials are handled.
Install Mechanism
This is instruction-only (no install spec), which is lower install risk. However the absence of any shipped code is notable: the instructions assume you will copy server.js, collectors/, and package.json from somewhere else. That missing provenance is a risk — you must obtain these files from a trusted source and review them before running.
!
Credentials
No environment variables or credentials are declared, yet the instructions imply needing access tokens/credentials for email providers and Portainer, file system paths for OpenClaw workspace, and permission to run arbitrary shell commands. The skill's declared requirements understate the sensitive access it will need to function.
!
Persistence & Privilege
The SKILL.md instructs installing a systemd user service and enabling linger (loginctl enable-linger) which grants the process persistence beyond user sessions. The skill bundle does not set always or disableModelInvocation, so although not explicitly persistent in the registry metadata, the instructions push for long-running privileged behavior. Running as a persistent service increases risk if the code is unreviewed or misconfigured.
What to consider before installing
Do not run code you don't have or can't inspect. Before installing: 1) Obtain the referenced files (server.js, collectors/, package.json, config.example.json) from a trusted source and review their contents (search for network exfiltration, unexpected exec/spawn usage, or reading unrelated system files). 2) Confirm what credentials are actually needed for Portainer, email, or other services and only provide minimal, scoped tokens. 3) Restrict the service's filesystem access (run as a dedicated unprivileged user, use limited workspace paths), and avoid enabling linger/system-wide services until you audit the code. 4) Validate any shell commands configured for 'command' checks — treat them as potentially dangerous. 5) Ask the publisher for source repository, checksums/signatures, and a homepage or contact; absence of origin info lowers trust. If you cannot review the code or confirm provenance, treat this skill as high risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97848js8g156cpvsmrcxvqxw580jysm
1.5kdownloads
0stars
1versions
Updated 22h ago
v0.0.1
MIT-0
@suspect80
latest
Download

Bot Status API

A configurable HTTP service that exposes your OpenClaw bot's operational status as JSON. Designed for dashboard integration, monitoring, and transparency.

What It Provides

  • Bot Core: Online status, model, context usage, uptime, heartbeat timing
  • Services: Health checks for any HTTP endpoint, CLI tool, or file path
  • Email: Unread counts from any email provider (himalaya, gog, etc.)
  • Cron Jobs: Reads directly from OpenClaw's cron/jobs.json
  • Docker: Container health via Portainer API
  • Dev Servers: Auto-detects running dev servers by process grep
  • Skills: Lists installed and available OpenClaw skills
  • System: CPU, RAM, Disk metrics from /proc

Setup

1. Copy the service files

Copy server.js, collectors/, and package.json to your desired location.

2. Create config.json

Copy config.example.json to config.json and customize:

{
  "port": 3200,
  "name": "MyBot",
  "workspace": "/path/to/.openclaw/workspace",
  "openclawHome": "/path/to/.openclaw",
  "cache": { "ttlMs": 10000 },
  "model": "claude-sonnet-4-20250514",
  "skillDirs": ["/path/to/openclaw/skills"],
  "services": [
    { "name": "myservice", "type": "http", "url": "http://...", "healthPath": "/health" }
  ]
}

Service Check Types

TypeDescriptionConfig
httpFetch URL, check HTTP 200url, healthPath, method, headers, body
commandRun shell command, check exit 0command, timeout
file-existsCheck path existspath

3. Run

node server.js

4. Persist (systemd user service)

# ~/.config/systemd/user/bot-status.service
[Unit]
Description=Bot Status API
After=network.target

[Service]
Type=simple
WorkingDirectory=/path/to/bot-status
ExecStart=/usr/bin/node server.js
Restart=always
RestartSec=5
Environment=PORT=3200
Environment=HOME=/home/youruser
Environment=PATH=/usr/local/bin:/usr/bin:/bin

[Install]
WantedBy=default.target

systemctl --user daemon-reload
systemctl --user enable --now bot-status
loginctl enable-linger $USER  # survive logout

5. Context/Vitals from OpenClaw

The bot should periodically write vitals to heartbeat-state.json in its workspace:

{
  "vitals": {
    "contextPercent": 62,
    "contextUsed": 124000,
    "contextMax": 200000,
    "model": "claude-opus-4-5",
    "updatedAt": 1770304500000
  }
}

Add this to your HEARTBEAT.md so the bot updates it each heartbeat cycle.

Endpoints

EndpointDescription
GET /statusFull status JSON (cached)
GET /healthSimple {"status":"ok"}

Architecture

  • Zero dependencies — Node.js built-ins only (http, fs, child_process)
  • Non-blocking — All shell commands use async exec, never execSync
  • Background refresh — Cache refreshes on interval, requests always served from cache instantly (~10ms)
  • Config-driven — Everything in config.json, no hardcoded values

Comments

Loading comments...