watchdog 安全扫描报告 — 可信 | ClawSafe

5 /100

watchdog

Monitors websites, APIs, and cron jobs via Watch.dog platform

Legitimate MCP skill that proxies uptime monitoring tools to the Watch.dog platform with no malicious behavior detected.

技能名称watchdog

分析耗时35.3s

引擎pi

✓

可以安装

This skill is safe to use. The hardcoded API key placeholder in documentation is benign. No action required.

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	index.js:30 reads .env file
网络访问	`WRITE`	`WRITE`	✓ 一致	index.js:107 POSTs to api.watch.dog
环境变量	`READ`	`READ`	✓ 一致	index.js:26 reads WATCHDOG_API_KEY
命令执行	`NONE`	`NONE`	—	No subprocess or exec calls found
剪贴板	`NONE`	`NONE`	—	No clipboard API usage
浏览器	`NONE`	`NONE`	—	No browser automation

1 高危 6 项发现

🔑

高危 API 密钥疑似硬编码凭证

API_KEY="sk_live_your_key_here"

SKILL.md:60

🔗

中危外部 URL 外部 URL

https://api.watch.dog/api/mcp_server.php

SKILL.md:25

🔗

中危外部 URL 外部 URL

https://watch.dog

SKILL.md:64

🔗

中危外部 URL 外部 URL

https://watch.dog/monitors/...

index.js:71

🔗

中危外部 URL 外部 URL

https://opencollective.com/express

package-lock.json:138

🔗

中危外部 URL 外部 URL

https://opencollective.com/fastify

package-lock.json:449

目录结构

4 文件 · 63.0 KB · 1824 行

JSON 2f · 1171L JavaScript 1f · 561L Markdown 1f · 92L

├─ 📜 index.js JavaScript 561L · 19.2 KB

├─ 📋 package-lock.json JSON 1143L · 39.3 KB

├─ 📋 package.json JSON 28L · 616 B

└─ 📝 SKILL.md Markdown 92L · 3.9 KB

依赖分析 2 项

包名	版本	来源	已知漏洞	备注
`@modelcontextprotocol/sdk`	`^1.0.0`	npm	否	Official MCP SDK, version pinned in lockfile
`zod`	`^3.22.0`	npm	否	Schema validation library, version pinned in lockfile

安全亮点

✓ No shell execution or subprocess calls - uses stdio transport exclusively

✓ No credential harvesting beyond service authentication - API key used only for Watch.dog API

✓ No data exfiltration - all network calls are to declared Watch.dog endpoint

✓ No obfuscation - clean, readable code with no base64 or eval patterns

✓ No hidden functionality - all behavior is documented in SKILL.md

✓ Clean dependency tree - only 2 direct dependencies from official NPM

✓ Uses standard MCP SDK from @modelcontextprotocolprotocol

✓ Proper Bearer token authentication for API calls

✓ Deletion tools require explicit user confirmation (documented safety measure)