Community code plugin. Review compatibility and verification before install.
Latest release: v1.0.0Download zip
Capabilities
Compatibility
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The package purpose is coherent with the artifacts: it provides Zhihu AIOps workflows and API references for assets, CMDB, monitoring, VictoriaMetrics, SNMP metrics, inspection, and OS monitoring setup.
Instruction Scope
The add-OS-monitor workflow asks for target SSH credentials, logs in to the platform, tests connectivity, and then creates an asset automatically after success; it lacks an explicit final confirmation gate before the state-changing create action.
Install Mechanism
The installed JavaScript entrypoint is minimal and documentation-oriented, with no hidden runtime hooks, background workers, dependency installation, obfuscation, or destructive local behavior observed.
Credentials
Use of configured Zhihu and VictoriaMetrics endpoints is expected for AIOps, but the workflow transmits SSH usernames/passwords and queries infrastructure inventory and telemetry without sufficiently clear warnings about authorization boundaries, redaction, and secret exposure.
Persistence & Privilege
No local persistence or privilege escalation was found, but the remote platform may store or use submitted SSH credentials when creating monitoring assets.
Scan Findings in Context
[SDI-1] unexpected: I agree this is a material disclosure issue: the package presents itself as documentation-first, while the referenced workflow gives live authenticated curl steps that can create remote monitoring assets.
[SDI-4] expected: Collecting SSH credentials is expected for OS monitoring setup, but the examples place passwords in request bodies and do not adequately prevent exposure through logs, transcripts, or copied commands.
[SQP-2] expected: Platform credentials and target-host credentials are expected for this integration, but the skill's secret-handling guidance is too thin for agent-driven execution.
[SQP-2] expected: Sending SSH credentials to the configured Zhihu backend is part of the OS monitoring workflow, but the artifact does not clearly ask for informed consent or explain backend retention and handling.
[SQP-2] expected: Bearer-token use and infrastructure inventory queries fit the AIOps purpose, but the inspection workflow should warn users to protect tokens and redact sensitive asset and telemetry data.
What to consider before installing
Review before installing in any real environment. Only use it with a trusted Zhihu AIOps backend, least-privilege platform credentials, and explicit user approval before connectivity tests or asset creation. Treat platform passwords, bearer tokens, SSH usernames/passwords, asset inventories, IPs, and telemetry as sensitive; do not paste them into shared prompts, logs, generated scripts, or reports unless properly redacted.