server-watchdog 安全扫描报告 — 低风险 | ClawSafe

20 /100

server-watchdog

Monitor remote servers via SSH — check service health, database status, disk space, memory, and auto-restart crashed services. Sends alerts via messaging.

Legitimate server monitoring script that pings MongoDB, auto-restarts the Windows service, analyzes crash logs, and sends Telegram alerts — no malicious behavior found.

技能名称server-watchdog

分析耗时40.0s

引擎pi

✓

可以安装

Document the mongodb-watchdog.js script explicitly in SKILL.md, pin the Telegram bot token to environment variables only, and clarify the SSH vs local-service management distinction.

安全发现 3 项

严重性	安全发现	位置
低危	SKILL.md does not mention the mongodb-watchdog.js script The concrete implementation (scripts/mongodb-watchdog.js) is not referenced in SKILL.md. SKILL.md describes SSH-based remote server monitoring while the script runs locally on the target Windows server using Node.js exec for net start/stop. `Monitor remote servers via SSH` → Document the mongodb-watchdog.js deployment workflow and clarify that it runs locally on the target server rather than via SSH	`SKILL.md:1`
低危	Hardcoded Telegram chat ID The Telegram chat ID '1663667034' is hardcoded in CONFIG.telegram.chatId. While not a security vulnerability by itself, it reveals a specific Telegram contact. `chatId: process.env.TELEGRAM_CHAT_ID \|\| '1663667034'` → Enforce chat ID from environment variable only, remove the fallback hardcoded value	`scripts/mongodb-watchdog.js:29`
低危	Hardcoded local server IP in comments The comment in the script header references the target server IP 10.0.0.213, which may be unintentional exposure of infrastructure details. `部署在 WEB-SV (10.0.0.213) 上，用 PM2 管理` → Remove IP addresses from comments in production scripts	`scripts/mongodb-watchdog.js:9`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md: SSH usage for service restart
数据库	`READ`	`READ`	✓ 一致	SKILL.md: database status checks; script: MongoDB ping
文件系统	`NONE`	`READ`	✓ 一致	scripts/mongodb-watchdog.js: reads mongod.log for crash analysis (legitimate pur…
网络访问	`NONE`	`WRITE`	✓ 一致	scripts/mongodb-watchdog.js: Telegram API POST for alerts only (legitimate purpo…

目录结构

2 文件 · 15.3 KB · 524 行

JavaScript 1f · 400L Markdown 1f · 124L

├─ ▾ 📁 scripts

│ └─ 📜 mongodb-watchdog.js JavaScript 400L · 11.8 KB

└─ 📝 SKILL.md Markdown 124L · 3.5 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`mongodb`	`not specified`	npm	否	Package manager file not present; mongodb driver is the only runtime dependency

安全亮点

✓ No base64, no eval(), no obfuscation — code is readable and auditable

✓ No credential harvesting — no iteration over os.environ or reading ~/.ssh/.aws/.env

✓ No curl|bash or wget|sh remote script execution

✓ No data exfiltration — Telegram POSTs are for alerts only, not credential theft

✓ Auto-restart logic is rate-limited (max 5 restarts per hour)

✓ No dependencies with known vulnerabilities — mongodb driver is standard

✓ Local-only attack surface — no remote code execution paths