VictoriaMetrics
Security checks across malware telemetry and agentic risk
Overview
The skill appears to query VictoriaMetrics as advertised, but its setup can store and print database passwords in plain text.
Install only if you are comfortable with a local CLI querying your VictoriaMetrics instances. Before using the init wizard, plan how to protect credentials: use least-privilege/read-only accounts, avoid shared terminals or logs, restrict permissions on the generated config file, and use HTTPS endpoints when sending Basic Auth credentials.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A single command can retrieve monitoring data from multiple configured environments, including production if it is in the config.
The CLI can fan a user query out to every configured VictoriaMetrics instance. This is disclosed and aligned with the monitoring purpose, but it broadens the scope of data queried.
if (flags.all) {
result = await queryAllInstances(config, query);
} ... config.instances.map(async (instance) => {Configure only intended instances, use the --all option deliberately, and prefer read-only VictoriaMetrics credentials where possible.
VictoriaMetrics credentials may be visible on screen, captured in terminal logs, or left in a plaintext workspace file.
The setup wizard collects a Basic Auth password, writes the full config to disk, and prints the full config without redacting the password.
instance.password = await question('Password: '); ... fs.writeFileSync(configPath, JSON.stringify(config, null, 2)); ... console.log(JSON.stringify(config, null, 2));Do not use high-privilege credentials. Protect the config file, prefer environment variables or a secret store, redact passwords from output, and use HTTPS/read-only accounts where possible.