Skillv1.0.0

ClawScan security

system-monitor-tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 10, 2026, 5:04 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill does what it says (runs a bundled shell script to report CPU, memory, disk, network, processes and temperature) and does not request extra credentials or external installs, though it will read local system state (including home directory sizing and process command lines) and ping a public IP.
Guidance: This skill appears to be what it claims: a simple local system monitor implemented as a shell script. Before installing or enabling it, consider that: the script enumerates your home directory sizes (du ~/*) and lists processes (ps aux / top) which can reveal filenames and command-line arguments (possible sensitive data). It also pings 8.8.8.8 to check connectivity. If you are concerned about exposing filenames or process arguments, run the script in a restricted environment or review/modify the script (remove du on ~/* or redact process command lines). No credentials are requested and nothing is downloaded at install time. If you need stricter privacy, do not enable autonomous invocation; run it only on-demand.

Purpose & Capability: okName/description match the included assets: SKILL.md and scripts/monitor.sh implement CPU, memory, disk, network, process listing and temperature checks. No unrelated credentials, installs, or features are requested.
Instruction Scope: noteRuntime instructions simply call the included monitor.sh with subcommands — this stays within the stated purpose. However the script reads local system state (df, du ~/*, /proc/meminfo, ps aux, top, vm_stat, etc.) and thus can reveal file sizes, file/folder names in the user's home directory and full process command lines, which may contain sensitive information or secrets in arguments.
Install Mechanism: okNo install specification; this is an instruction-only skill that includes its own script. Nothing is downloaded or extracted from external URLs.
Credentials: noteThe skill requests no environment variables or credentials, which is proportional. It does rely on standard system utilities (ping, df, du, ps, top, netstat/ip/ifconfig, etc.); those are expected but may require appropriate platform availability and permissions.
Persistence & Privilege: okalways is false and the skill does not modify other skills or system configuration. The agent may invoke it autonomously (platform default), but the skill does not request elevated persistence.