ClawHub

Unraid Monitor Skill for OpenClaw

v1.0.4

Query an Unraid server via GraphQL for system, array, and Docker status in read-only mode.

0· 112·0 current·0 all-time
by@yoshiofthewire
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Unraid monitoring via GraphQL) matches the scripts and behavior. Required binaries (curl, jq) and required env vars (UNRAID_BASE_URL, UNRAID_API_KEY) are appropriate and necessary for the stated purpose. Scripts implement snapshotting, summary, alerts, and a cron runner consistent with the description.
Instruction Scope
SKILL.md and scripts remain within the stated monitoring scope and perform only read-only GraphQL queries. One minor scope mismatch: the runtime code references optional env vars UNRAID_CSRF_TOKEN and UNRAID_SESSION_COOKIE (for login-gated/reverse-proxy setups) but these are not listed in the metadata.requires.env block. This is plausible for some Unraid setups but should be noted.
Install Mechanism
There is no install spec (instruction-only skill), and the repository contains shell scripts only. No remote downloads, package installs, or extract-from-URL behavior were found. This is low-risk for install-time code execution beyond the included scripts.
Credentials
Only UNRAID_API_KEY and UNRAID_BASE_URL are required, which is proportionate. Optional variables (timeouts, thresholds, state dir, notify label) are reasonable. As noted above, the scripts optionally read UNRAID_CSRF_TOKEN and UNRAID_SESSION_COOKIE even though they are not declared in requires.env; these are used to support proxied/login-gated configurations and are optional, but the omission from metadata should be documented.
Persistence & Privilege
The skill does not request always:true and does not attempt to change other skills or system-wide agent configuration. It writes snapshots/logs into a repo-local state directory (or a user-set UNRAID_STATE_DIR) and contains instructions for adding a cron entry — those cron instructions would only take effect if the user runs them. No automatic persistent backdoors or cross-skill modifications were found.
Assessment
This skill appears to be what it claims: a read-only Unraid GraphQL monitor. Before installing: 1) Only provide UNRAID_API_KEY and UNRAID_BASE_URL to the skill environment; treat the API key like any secret. 2) Note that the scripts create a temporary curl config file that contains the API key (the script chmods it to 600 and removes it), so run this only in a trusted environment. 3) If you use a login-gated proxy, the scripts accept optional UNRAID_CSRF_TOKEN and UNRAID_SESSION_COOKIE — these are optional but are not listed in the metadata, so if you plan to use them be aware they will be read from the environment. 4) The README shows commands to add cron entries; follow those manually if you want persistent scheduling (they will persist on your machine). 5) As a best practice, inspect and run the included scripts in a controlled environment first (they are small shell scripts) and avoid placing real credentials in version-controlled files. If you want me to, I can produce a short checklist of commands to safely test the skill in a sandboxed environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk977nh5xqdhvxe8hy8zek1azah838qhh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq
EnvUNRAID_API_KEY, UNRAID_BASE_URL
Primary envUNRAID_API_KEY

Comments