https://clawhub.ai/api/v1/skills/windows-health-monitor/file?path=SKILL.md&version=1.6.0
github.com/clawhub.ai/windows-health-monitor
Scanned Thu, 28 May 2026 15:44:53 GMT
Scan ID crawl-rna1p1raop5f8590ypb4ylmd · 2ms
B
SCORE 75 / 100
Verdict: Safe to install

4 medium findings.

This skill ships without a capability manifest plus 3 other issues listed below.

0 critical0 high4 medium8 rules passed

Why grade B?

score · 75 / 100

The current grade reflects 4 medium findings (3+ MEDs → B).

0 CRIT0 HIGH4 MED0 LOW
To reach a higher grade
  • A
    Reach Atarget score 95

    Resolve 2 of 4 MED (cap is 2).

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Findings · ordered by severity

med
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule: no-manifest
med
Link text shows "security.md" but points at github.com
The visible link text contains the domain `security.md`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
rule: anchor-href-mismatchline: 17CWE-601
15Cross-platform diagnostics for OpenClaw gateways. Covers the most common performance problems discovered through real-world debugging on Windows 11 native, WSL2, Linux, and macOS environments.
16
17See **[SECURITY.md](https://github.com/jordan-thirkle/openclaw-winhealth/blob/main/SECURITY.md)** for data collection and privacy disclosures. External alerts are off by default in v1.4.0+.text→security.md · href→github.com
18
19## Quick Health Check
med
Link text shows "security.md" but points at github.com
The visible link text contains the domain `security.md`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
rule: anchor-href-mismatchline: 201CWE-601
199- Log tail extraction (when `include_logs` is enabled — defaults to disabled)
200
201Diagnostic bundles may contain system metadata, log-derived details, file paths, identifiers, and configuration structure even after OpenClaw's built-in sanitation. **Review the contents before sharing.** Only share diagnostic bundles with trusted recipients for troubleshooting purposes. See [SECURITY.md](https://github.com/jordan-thirkle/openclaw-winhealth/blob/main/SECURITY.md#diagnostic-bundles).text→security.md · href→github.com
202
203For bug reports or sharing diagnostics:
med
Link text shows "security.md" but points at github.com
The visible link text contains the domain `security.md`, but the URL actually targets `github.com`. This is a phishing/smuggling pattern — the reader sees one host, the agent fetches another. Either update the text or the URL so they match.
rule: anchor-href-mismatchline: 251CWE-601
249## Security Considerations
250
251- **External alerts are off by default** (`alertChannel: "none"`). Enable only after reviewing [SECURITY.md](https://github.com/jordan-thirkle/openclaw-winhealth/blob/main/SECURITY.md).text→security.md · href→github.com
252- **Diagnostic bundles** are sanitized by OpenClaw but may still contain system metadata — review before sharing.
253- **Dashboard token** is stored in browser `sessionStorage` by default and cleared on tab close.
Scan another →Share
skillox.io/r/crawl-rna1p1raop5f8590ypb4ylmd