ClawHub

Web Profiler Bundle

v1.0.0

Profile HTTP requests with timing, memory, and query breakdowns. Use when debugging slow routes, analyzing queries, inspecting middleware, or optimizing.

0· 88·0 current·0 all-time
by@bytesagain1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (profile HTTP requests, timing/memory/query breakdowns) aligns with the included script: it records user-provided profiling entries, shows stats, searches, and exports local logs. Minor inconsistencies: SKILL.md declares runtime: python3 and version 1.0.0, while the script reports v2.0.0 and is a bash script — this looks like sloppy metadata but not malicious.
Instruction Scope
Runtime instructions and the script operate only on the local data directory (~/.local/share/web-profiler-bundle) and stdout/stderr. The script appends user inputs to per-command .log files, searches them, and exports them. It does not read unrelated system files, environment variables, or send data to external endpoints.
Install Mechanism
No install spec; the code is a single bash script that runs on the host. This is low risk compared to downloading/executing remote artifacts.
Credentials
The skill requests no environment variables, credentials, or config paths. It only uses HOME to build a local data directory, which is proportionate to its purpose.
Persistence & Privilege
always is false and the skill does not request permanent elevated privileges or modify other skills. It only stores its own logs under the user's home directory.
Assessment
This tool stores whatever you pass to it in ~/.local/share/web-profiler-bundle; avoid logging sensitive request bodies or secrets. Note the metadata mismatches (SKILL.md says python3 and v1.0.0 while the script is bash and prints v2.0.0) — likely sloppy packaging. There are no network calls or credential requests, but you may want to: 1) inspect the script locally before running, 2) run it in a sandbox if unsure, and 3) verify exported JSON output if you plan to import it into other tools (there's a minor bug risk in the JSON export implementation). Overall the behavior is consistent with a local CLI logger/profiler and not suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk972mn7td8afzb84b0rtayg9zh839fxa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments