Is jakes420/web-monitor-pro safe?
https://github.com/openclaw/skills/tree/main/skills/jakes420/web-monitor-pro
Web Monitor Pro (jakes420/web-monitor-pro) is a functionally legitimate web monitoring skill with a clean SKILL.md free of prompt injection. The primary risks are architectural rather than malicious: the webhook system transmits monitor data to user-configured external endpoints, the feedback command embeds system info in GitHub URLs, and monitored page content is stored persistently in the home directory. No canary exfiltration was detected — canary file PATH records are consistent with audit infrastructure initialization and teardown. The skill installs cleanly without unexpected network connections, hooks, or symlinks.
Category Scores
Findings (8)
MEDIUM Webhook system transmits monitor data to external endpoints -10 ▶
The fire_webhooks() function POSTs JSON payloads containing monitor_id, label, monitored URL, change_summary, and current_price to user-configured webhook URLs. While this is documented functionality, it represents real outbound data transmission whenever a monitor condition triggers. A malicious actor who persuades a user to set a webhook URL to an attacker-controlled server would receive ongoing telemetry about what URLs the user monitors and what changes occur.
MEDIUM Feedback command encodes system info in GitHub URL -8 ▶
cmd_feedback() constructs a pre-filled GitHub issue URL containing the user's message, OS details (platform.system(), platform.release()), Python version, monitor count, and Playwright status. This URL is printed and potentially presented to the user or agent. If navigated, this telemetry is transmitted to GitHub and visible in URL logs, browser history, and to github.com.
LOW Executable Python script with subprocess curl invocation -10 ▶
monitor.py invokes curl via subprocess.run() with a spoofed Chrome User-Agent to fetch arbitrary user-supplied URLs. While the subprocess call uses a list (not shell=True) preventing shell injection, the script represents a significant code execution surface that will run whenever the agent invokes monitoring commands.
LOW Playwright headless browser spawned for JS-rendered pages -6 ▶
When --browser flag is used or engine=browser is configured, the skill spawns a full headless Chromium browser via Playwright. This is a high-privilege operation with broad network and rendering capability. While opt-in and documented, it significantly expands the attack surface if a malicious URL were monitored.
LOW Monitored page content stored persistently in home directory -8 ▶
Up to 50 snapshots of 10KB each are stored per monitor in ~/.web-monitor/snapshots/. If the user monitors sensitive pages (authenticated dashboards, internal tools, personal documents), this content accumulates locally and could be read by any process with home directory access.
LOW Network connection to Ubuntu NTP and package infrastructure during install -10 ▶
During install, connections were observed to 185.125.188.59/58 (Canonical/Ubuntu) and 91.189.91.49 (Ubuntu package infrastructure). These are attributable to the VM's normal background activity (apt, NTP) and not to the skill itself.
INFO debug command fingerprints ClawHub installation environment -4 ▶
The debug command checks for the presence of a .clawhub directory in the parent of the script path to determine install_via. This reveals to any feedback log or debug output whether the skill is running inside a ClawHub/OpenClaw environment.
INFO Cron job template suggests autonomous agent execution without user confirmation -10 ▶
The examples.md and SKILL.md both include a cron job configuration that instructs the agent to silently run monitor checks every 6 hours and 'stay silent' if nothing changed. While not malicious, this establishes an autonomous execution pattern that runs the skill without explicit user interaction.