ClawHub
Skill flagged β€” suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

VM Health Check

πŸ–₯️ Instant VM health checks β€” no config needed after first run. Point it at any Docker-based Linux server and get a clean report covering CPU, memory, disk,...

MIT-0 Β· Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 97 · 0 current installs · 0 all-time installs
by@tonylnng
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report β†’
OpenClawOpenClaw
Benign
medium confidence
βœ“
Purpose & Capability
The name/description match the implementation: the script SSHes to a Docker-based VM and gathers system, Docker, and DB metrics and can prune images/build cache. No unrelated credentials or services are requested.
β„Ή
Instruction Scope
SKILL.md instructs the agent to read and append VM_HOST, VM_USER, and SSH_KEY (path) to TOOLS.md in the workspace. Persisting VM connection details in a project file is a design choice but can leak hostnames and key paths; the script then performs remote docker/mysql/psql commands and may run destructive cleanup when 'cleanup' is selected. The instructions suppress stderr in several places which can hide errors.
βœ“
Install Mechanism
No install spec; this is instruction-only with a single included bash script. Nothing is downloaded or written to disk by an installer step beyond the requested TOOLS.md edit.
β„Ή
Credentials
The skill declares no required env vars but expects VM_HOST, VM_USER, and SSH_KEY at runtime (and asks to save them to TOOLS.md). Those variables are expected for SSH-based checks; however storing the SSH_KEY path in a workspace file and relying on an on-disk private key has privacy implications. The script uses ssh -i <key> so the private key file will be used by the SSH client (expected for SSH access).
β„Ή
Persistence & Privilege
always:false and normal invocation. The only persistent behavior is appending connection info to TOOLS.md (the skill does not modify other skills or global agent settings). Persisting host/key info in a repository/workspace file is potentially sensitive and should be managed (e.g., .gitignore or avoid storing key paths).
Assessment
This skill appears to do what it says, but take these precautions before installing/using it: - Do not store private key material in project files. The skill saves the SSH key path to TOOLS.md; avoid writing actual private keys and consider not storing the path in a repo (add TOOLS.md to .gitignore or keep credentials out of the workspace). Prefer passing VM_HOST/VM_USER/SSH_KEY as environment variables at runtime. - Host-key verification is disabled (ssh -o StrictHostKeyChecking=no). That avoids interactive prompts but increases MITM risk β€” consider verifying host keys manually or removing the option. - The cleanup section runs docker image prune -af and docker builder prune -f automatically; these can free space but are destructive to unused images/cache. The SKILL.md warns about not running docker system prune -af, but still confirm before running cleanup on production systems. - The script suppresses stderr (2>/dev/null) in many remote commands which can hide errors. If something looks wrong, run the underlying commands manually on the host to inspect full output. - The DB size checks attempt to connect without credentials (root with empty password); if your containers require credentials, the script will note that and skip β€” but do not add credentials to TOOLS.md in plaintext. - Review the included script (scripts/vm-check.sh) yourself before running and test in a safe environment. If you need stronger safeguards, modify the script to enforce host-key checking, avoid writing connection info to disk, and require explicit confirmation before any pruning operations.

Like a lobster shell, security has layers β€” review code before you run it.

Current versionv1.0.2
Download zip
latestvk97e0az704se8jf9vz5px6zhxx834e78

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

tonic-vm-check

SSH into a Docker-based VM and report system health, container status, DB sizes, and disk usage.

Step 1: Load VM Config

Before running any check, look for this block in TOOLS.md:

### tonic-vm-check
- VM_HOST: <host>
- VM_USER: <user>
- SSH_KEY: <path>

If found: extract the values and proceed to Step 2.

If not found: ask the user once:

To check your VM, I need a few details (only asked once β€” saved to TOOLS.md):

  1. VM IP or hostname
  2. SSH username (default: ubuntu)
  3. Path to SSH private key (default: ~/.ssh/id_rsa)

Then append to TOOLS.md:

### tonic-vm-check
- VM_HOST: <answer>
- VM_USER: <answer>
- SSH_KEY: <answer>

Confirm saved, then proceed.

Step 2: Run the Check

VM_HOST=<host> VM_USER=<user> SSH_KEY=<key> bash skills/tonic-vm-check/scripts/vm-check.sh [section]

Sections: all (default) Β· system Β· disk Β· containers Β· db Β· docker-df Β· cleanup

Step 3: Report

Summarise results:

πŸ–₯️ System β€” Uptime, CPU idle%, load average, memory (total / used / available)

πŸ’Ύ Disk β€” / usage %, used, free

🐳 Docker β€” Top containers by MEM USAGE; flag any not healthy or recently restarted

πŸ—„οΈ DB Sizes β€” MySQL and Postgres databases auto-detected on the VM

🧹 Cleanup Opportunities β€” Reclaimable image/cache space; stopped containers worth removing

Always flag items that exceed thresholds:

MetricWarningCritical
Disk usage>70%>85%
Memory used>80%>90%
Load avg (1m)>2.0>4.0
Single container MEM>1 GB>2 GB

Cleanup Safety Rules

  • docker image prune -af β€” safe (unused images only)
  • docker builder prune -f β€” safe (build cache only, no data loss)
  • docker container prune β€” safe only for stopped containers
  • Never run docker system prune -af without explicit user approval (destroys volumes)

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…