中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
system-monitor
Monitor system health on the gateway host (Raspberry Pi / ARM / Linux). Reports CPU, RAM, disk, temperature, uptime, load, top processes.
A straightforward system health monitor for Raspberry Pi that reads /proc, /sys, ps, and df — all capabilities declared in SKILL.md with no hidden functionality.
Skill Namesystem-monitor
Duration23.4s
Enginepi
Safe to install
Approve. All behavior is accurately declared, external tool usage is minimal and necessary, and no credential, network, or obfuscation risks are present.

Findings 1 items

Severity Finding Location
Low
Subprocess usage not declared in Security section Doc Mismatch
SKILL.md's Security section says 'Never writes, modifies, or executes anything beyond reading system stats' and claims 'No network access: Purely local'. While the What It Reports table does list 'df -h' and 'ps aux' as sources, the Security section omits that subprocess is used. This is a minor documentation gap.
subprocess.run(['df', '-h', '-x', 'tmpfs', '-x', 'devtmpfs'], capture_output=True, text=True, timeout=5)
→ Update Security section of SKILL.md to clarify that the tool invokes 'df' and 'ps' via subprocess for disk and process data. This is benign and necessary for the stated purpose.
 SKILL.md:42
ResourceDeclaredInferredStatusEvidence
Filesystem READ READ ✓ Aligned monitor.py:61 'with open("/proc/stat") as f'
Shell NONE READ ✓ Aligned monitor.py:61 subprocess.run(['df','-h']); monitor.py:92 subprocess.run(['ps','a…
Network NONE NONE No network calls found
Environment NONE NONE No os.environ access
Database NONE NONE No database access
Clipboard NONE NONE No clipboard access

File Tree

2 files · 8.8 KB · 289 lines
Python 1f · 219L Markdown 1f · 70L
├─ 📁 scripts
│ └─ 🐍 monitor.py Python 219L · 6.9 KB
└─ 📝 SKILL.md Markdown 70L · 1.9 KB

Security Positives

✓ No network requests — purely local system monitoring
✓ No credential or secret access — only public /proc and /sys metrics
✓ No obfuscation — all code is plain Python, no base64 or dynamic eval
✓ Error handling via try/except on all file reads and subprocess calls
✓ No filesystem writes — confirmed read-only
✓ No sensitive path access (no ~/.ssh, ~/.aws, .env, etc.)
✓ No persistence mechanisms — no cron, no startup hooks
✓ Subprocess usage (df, ps) is explicitly listed in the What It Reports table
✓ Zero external pip dependencies — stdlib only