server-watchdog Security Report — Low Risk | ClawSafe

20 /100

server-watchdog

Monitor remote servers via SSH — check service health, database status, disk space, memory, and auto-restart crashed services. Sends alerts via messaging.

Legitimate server monitoring script that pings MongoDB, auto-restarts the Windows service, analyzes crash logs, and sends Telegram alerts — no malicious behavior found.

Skill Nameserver-watchdog

Duration40.0s

Enginepi

✓

Safe to install

Document the mongodb-watchdog.js script explicitly in SKILL.md, pin the Telegram bot token to environment variables only, and clarify the SSH vs local-service management distinction.

Findings 3 items

Severity	Finding	Location
Low	SKILL.md does not mention the mongodb-watchdog.js script The concrete implementation (scripts/mongodb-watchdog.js) is not referenced in SKILL.md. SKILL.md describes SSH-based remote server monitoring while the script runs locally on the target Windows server using Node.js exec for net start/stop. `Monitor remote servers via SSH` → Document the mongodb-watchdog.js deployment workflow and clarify that it runs locally on the target server rather than via SSH	`SKILL.md:1`
Low	Hardcoded Telegram chat ID The Telegram chat ID '1663667034' is hardcoded in CONFIG.telegram.chatId. While not a security vulnerability by itself, it reveals a specific Telegram contact. `chatId: process.env.TELEGRAM_CHAT_ID \|\| '1663667034'` → Enforce chat ID from environment variable only, remove the fallback hardcoded value	`scripts/mongodb-watchdog.js:29`
Low	Hardcoded local server IP in comments The comment in the script header references the target server IP 10.0.0.213, which may be unintentional exposure of infrastructure details. `部署在 WEB-SV (10.0.0.213) 上，用 PM2 管理` → Remove IP addresses from comments in production scripts	`scripts/mongodb-watchdog.js:9`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: SSH usage for service restart
Database	`READ`	`READ`	✓ Aligned	SKILL.md: database status checks; script: MongoDB ping
Filesystem	`NONE`	`READ`	✓ Aligned	scripts/mongodb-watchdog.js: reads mongod.log for crash analysis (legitimate pur…
Network	`NONE`	`WRITE`	✓ Aligned	scripts/mongodb-watchdog.js: Telegram API POST for alerts only (legitimate purpo…

File Tree

2 files · 15.3 KB · 524 lines

JavaScript 1f · 400L Markdown 1f · 124L

├─ ▾ 📁 scripts

│ └─ 📜 mongodb-watchdog.js JavaScript 400L · 11.8 KB

└─ 📝 SKILL.md Markdown 124L · 3.5 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`mongodb`	`not specified`	npm	No	Package manager file not present; mongodb driver is the only runtime dependency

Security Positives

✓ No base64, no eval(), no obfuscation — code is readable and auditable

✓ No credential harvesting — no iteration over os.environ or reading ~/.ssh/.aws/.env

✓ No curl|bash or wget|sh remote script execution

✓ No data exfiltration — Telegram POSTs are for alerts only, not credential theft

✓ Auto-restart logic is rate-limited (max 5 restarts per hour)

✓ No dependencies with known vulnerabilities — mongodb driver is standard

✓ Local-only attack surface — no remote code execution paths

Scan Report

Findings 3 items

File Tree

Dependencies 1 items

Security Positives