watchdog Security Report — Trusted | ClawSafe

5 /100

watchdog

Monitors websites, APIs, and cron jobs via Watch.dog platform

Legitimate MCP skill that proxies uptime monitoring tools to the Watch.dog platform with no malicious behavior detected.

Skill Namewatchdog

Duration35.3s

Enginepi

✓

Safe to install

This skill is safe to use. The hardcoded API key placeholder in documentation is benign. No action required.

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	index.js:30 reads .env file
Network	`WRITE`	`WRITE`	✓ Aligned	index.js:107 POSTs to api.watch.dog
Environment	`READ`	`READ`	✓ Aligned	index.js:26 reads WATCHDOG_API_KEY
Shell	`NONE`	`NONE`	—	No subprocess or exec calls found
Clipboard	`NONE`	`NONE`	—	No clipboard API usage
Browser	`NONE`	`NONE`	—	No browser automation

1 High 6 findings

🔑

High API Key 疑似硬编码凭证

API_KEY="sk_live_your_key_here"

SKILL.md:60

🔗

Medium External URL 外部 URL

https://api.watch.dog/api/mcp_server.php

SKILL.md:25

🔗

Medium External URL 外部 URL

https://watch.dog

SKILL.md:64

🔗

Medium External URL 外部 URL

https://watch.dog/monitors/...

index.js:71

🔗

Medium External URL 外部 URL

https://opencollective.com/express

package-lock.json:138

🔗

Medium External URL 外部 URL

https://opencollective.com/fastify

package-lock.json:449

File Tree

4 files · 63.0 KB · 1824 lines

JSON 2f · 1171L JavaScript 1f · 561L Markdown 1f · 92L

├─ 📜 index.js JavaScript 561L · 19.2 KB

├─ 📋 package-lock.json JSON 1143L · 39.3 KB

├─ 📋 package.json JSON 28L · 616 B

└─ 📝 SKILL.md Markdown 92L · 3.9 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`@modelcontextprotocol/sdk`	`^1.0.0`	npm	No	Official MCP SDK, version pinned in lockfile
`zod`	`^3.22.0`	npm	No	Schema validation library, version pinned in lockfile

Security Positives

✓ No shell execution or subprocess calls - uses stdio transport exclusively

✓ No credential harvesting beyond service authentication - API key used only for Watch.dog API

✓ No data exfiltration - all network calls are to declared Watch.dog endpoint

✓ No obfuscation - clean, readable code with no base64 or eval patterns

✓ No hidden functionality - all behavior is documented in SKILL.md

✓ Clean dependency tree - only 2 direct dependencies from official NPM

✓ Uses standard MCP SDK from @modelcontextprotocolprotocol

✓ Proper Bearer token authentication for API calls

✓ Deletion tools require explicit user confirmation (documented safety measure)

Scan Report

File Tree

Dependencies 2 items

Security Positives