hearth

Name: hearth
Author: nj070574-gif

Description

A fast, read-only health-check sweep across every device in a homelab — ping, uptime/load, memory/disk, services, and app health, in 14 seconds with output y...

README (SKILL.md)

What hearth gets you

Before hearth: six SSH terminals open on a Friday afternoon. Type uptime; free -h; df -h; systemctl is-active \x3Csvc1> \x3Csvc2> ... on each box. Eight minutes in, you've forgotten what server 1 said.

With hearth: one command, 14 seconds, every device, same format, one screen. Done.

=== HOMELAB — ESTATE HEALTH SWEEP ===
=== 192.0.2.10 main-server ===
  L1 ping:    OK
  L2 uptime:  1 day, 2 hours, load: 0.15 0.18 0.15
  L3 mem:     used 1.6Gi / 7.7Gi, 6.0Gi avail | disk: / 6% used, 814G free
  L4 svc:     openclaw=active nginx=active ollama=active cron=active
  L5 app:     gateway={"ok":true} | https-front=HTTP 200
=== 192.0.2.20 fileserver ===
  L1 ping:    OK   ...
=== sweep complete in 14 seconds ===

Why someone uses this skill

Three things make hearth different from "just SSH and check yourself" or "set up Prometheus":

Read-only by design. Never modifies remote state. No systemctl restart, no apt-get install, no writes beyond /tmp/.hearth_*. Safe to run from cron, from an LLM agent, from a colleague's shell. Most monitoring tools can't make that promise.
Honest about what it can't see. When a layer can't be probed (Windows host with no SSH, chroot with no systemd), hearth says so explicitly — unmanaged-host (no SSH), no-systemd (chroot — N/A). It doesn't fake a green result. You always know whether a green is real or just unmeasured.
Zero install on remote hosts. No agent on every box. No node_exporter. No daemon. Just SSH from one bridgehead. If you can SSH to a host, hearth can probe it.

The 5-layer pattern catches the failure classes that actually hit homelabs in production:

Layer	Catches
L1 ping	Network drop, host off, ICMP blocked
L2 uptime+load	Reboots, runaway load
L3 mem+disk	Disk filling up before journald truncates logs, OOM-precursor leaks
L4 services	Service crashed, unit name drift after distro upgrade, fail2ban banning your bridgehead
L5 app	The "service is up but returns HTTP 500 for three days" silent-failure class

How hearth works

hearth is configuration-driven — the skill itself contains zero knowledge of any specific lab. The user describes their devices in ~/.hearth/devices.yaml (or wherever HEARTH_CONFIG points), and hearth reads that config to drive its probes. Six device archetypes ship as worked examples (Linux+systemd, chroot/no-systemd, Raspberry Pi, Windows HTTP-only, SLURM cluster, multi-app web stack).

Triggering

Invoke hearth when the user asks anything in this family:

"server status", "lab status", "homelab status"
"check all servers", "check the lab", "check my hosts"
"is X up?" (where X is a device name from their config)
"how is the lab?", "how is X?"
"health check", "health sweep", "device health"
"what's running?", "what's down?"

If the user names a single device, run hearth check-device \x3Cname> (or scope the sweep to one device with --device \x3Cname>).

Operation

hearth is implemented as a thin wrapper around two scripts that ship with the project:

scripts/sweep.sh — runs the full estate sweep, or a subset
scripts/check-device.sh — runs the 5-layer probe on one device

Run from the user's hearth installation directory (typically ~/hearth/):

./scripts/sweep.sh                    # full sweep
./scripts/sweep.sh --device \x3Cname>    # one device
./scripts/sweep.sh --group \x3Cname>     # named group of devices
./scripts/sweep.sh --dry-run          # validate config, no probes

Show the user the raw output. The output is already designed to be human-readable; do not re-summarise unless the user explicitly asks for analysis.

Output format

Each device's status is printed in this exact format:

=== \x3Cip-or-hostname> \x3Cname> [(\x3Crole>)] ===
  L1 ping:    OK | UNREACHABLE
  L2 uptime:  \x3Cduration>, load: \x3C1m> \x3C5m> \x3C15m>
  L3 mem:     used \x3CX> / \x3CY>, \x3CZ> avail | disk: / \x3Cpct>% used, \x3Cfree> free
  L4 svc:     \x3Cservice1>=active \x3Cservice2>=active ...
  L5 app:     \x3Capp1>=\x3Cstatus> | \x3Capp2>=\x3Cstatus> ...

Special cases:

UNREACHABLE at L1 — device fails ping. L2-L5 are skipped, sweep continues.
SSH FAILED at L2-L4 — device pings but SSH is unresponsive. L5 may still be attempted for HTTP probes.
unmanaged-host (no SSH) at L2-L4 — device is configured auth: http-only (e.g. Windows host without SSH). L5 carries the health signal.
no-systemd (chroot — N/A) at L4 — device is a chroot or has no systemd. L2/L3 still apply, L5 carries app-health.

Triggers requiring extra care

"restart X" / "kill X" / "deploy X" — hearth is read-only. If the user asks for write actions, do NOT use hearth — explain that hearth doesn't modify remote state and ask if they want to do that another way.
"add a new device" — direct the user to edit ~/.hearth/devices.yaml. Reference examples/devices.example.yaml and docs/CONFIG.md in the project for schema.
"why is X down?" — first run ./scripts/sweep.sh --device \x3CX> to confirm the failure mode, then suggest investigation paths based on which layer failed (L1 = network, L4 = services, L5 = app).

What hearth never does

Never modify remote hosts. No systemctl restart, no apt-get install, no file writes beyond /tmp/.hearth_* ephemera.
Never reveal credentials. Passwords and tokens live in env vars and SSH keys; hearth does not echo them.
Never make claims it can't verify. If L4 can't be probed (chroot, Windows), hearth says so explicitly rather than reporting a fake green.
Never fabricate device data. Every line of output comes from a real probe of a real device. If a probe times out, the output says so.

Adding hearth to a new lab

If the user has not yet set up hearth:

Direct them to clone the repo and copy examples/devices.example.yaml to ~/.hearth/devices.yaml
They edit the YAML with their real devices
They set credential env vars (HEARTH_PASS_\x3CDEVICE>, etc.)
They run ./scripts/sweep.sh --dry-run to validate
They run ./scripts/sweep.sh for the first sweep

See docs/INSTALL.md for platform-specific install steps.

Adding a new device archetype

If the user has a device type not covered by the 6 ship-included archetypes (linux-systemd, linux-nosystemd-chroot, raspberry-pi, windows-http-only, slurm-cluster, magento-server), help them craft a new entry by:

Reading examples/archetypes/ for the closest existing match
Probing the device manually with ssh user@host 'uname -srm; uptime; systemctl list-units --type=service --state=running --no-pager | head -20' to discover its services
Adding a new device entry to their devices.yaml
Running ./scripts/sweep.sh --device \x3Cnew-name> to test

Encourage them to contribute the new archetype back upstream if it's broadly useful.

Failure modes and what to tell the user

Symptom	Likely cause	Suggested action
L1 UNREACHABLE on a normally-reachable device	Network drop, host powered off	Check physical/UPS, check switch, ping the gateway
SSH FAILED but L1 OK	SSH daemon down, firewall, fail2ban ban	SSH manually from another host to confirm
L4 service shows `inactive` for a service the user expects active	Service crashed, unit name wrong	`journalctl -u \x3Cunit>` on the device
L5 HTTP probe shows `HTTP 000`	App is down or port closed	`curl -v \x3Curl>` from the bridgehead
L5 HTTP probe shows `HTTP 502/503`	App is up but failing	Check app's own logs
Sweep takes >30s for 10 devices	One device is timing out	Re-run with `--device \x3Cname>` to isolate

Privacy

hearth is designed to be safe to run in a public/agentic context:

Reads only the user's own config file (no broader filesystem snooping)
Writes only to /tmp/.hearth_* (cleaned up immediately)
Does NOT log device IPs, hostnames, or output to any remote service
Does NOT include telemetry of any kind

If asked about specific configuration values (passwords, tokens), hearth does NOT have access to those — they're in the user's env vars, only readable by the running process when invoking SSH/curl.

Version

0.1.4 — schema-only example.yaml; app probes documented per-archetype. OpenClaw skill mode.

Usage Guidance

Install only if you are comfortable letting this skill run local scripts that SSH or curl your configured devices. Before use, review ~/.hearth/devices.yaml, especially every `type: command` probe, and use dedicated low-privilege credentials where possible. The artifacts do not show malicious behavior, but the combination of credentials, broad homelab reach, and configurable shell execution deserves manual review.

Capability Analysis

Type: OpenClaw Skill Name: hearth Version: 0.1.5 The hearth skill is a homelab monitoring utility that uses SSH and local command execution to perform health checks. While it lacks clear evidence of intentional malice and includes documentation emphasizing a 'read-only' design, it is classified as suspicious due to high-risk implementation patterns and potential injection vulnerabilities. Specifically, scripts such as `scripts/check-device.sh` and `scripts/lib/config.sh` interpolate shell variables (like `$device_name` and `$config_path`) directly into Python and Bash execution strings without sanitization. Furthermore, the tool's core functionality involves handling sensitive credentials via environment variables and executing arbitrary user-defined commands on remote hosts, which presents a significant attack surface if the configuration file is manipulated.

Capability Tags

cryptorequires-walletrequires-oauth-tokenrequires-sensitive-credentials

Capability Assessment

⚠ Purpose & Capability

The health-check purpose is coherent and mostly read-only, but the documented L5 command probe is a broad shell escape hatch: commands are sourced verbatim from the user's config and can run locally or over SSH.

ℹ Instruction Scope

The skill scopes itself to status/health-check prompts and explicitly tells the agent not to use hearth for restarts, kills, deploys, or other write actions.

ℹ Install Mechanism

Registry metadata lists no install spec and the source/homepage are unknown, while the docs instruct users to clone a GitHub repository and install local command-line dependencies.

⚠ Credentials

The requested environment access is powerful for a health checker: it can use SSH passwords, SSH private keys, bearer tokens, ping/curl, and local or remote shell commands across all configured devices.

ℹ Persistence & Privilege

The skill uses a persistent ~/.hearth/devices.yaml file containing device topology, auth environment variable names, key paths, service lists, and command probes; no daemon or background persistence is documented.

Version History

v0.1.5

v0.1.5 - Documentation only. Rewrote SKILL.md frontmatter description and body for sales clarity (the listing summary is now the punchier 'What hearth gets you' pitch instead of the dry mechanism description). Added a comprehensive PrePublishGate regex-layer security-scan CI workflow that catches 35+ leak patterns on every push and PR. No functional or behavioural changes - skill output and config schema are identical to v0.1.4.

v0.1.4

Reduced examples/devices.example.yaml to a schema-only example. App-probe examples now live exclusively in the per-archetype guides — registry scanners were repeatedly flagging in-YAML example URLs.

v0.1.3

Replaced all raw-IP URLs in examples and archetypes with .lan hostnames. The scanner's install_untrusted_source rule was flagging each raw-IP URL one at a time.

v0.1.2

Replaced http://127.0.0.1/ with http://localhost/ in the example devices.yaml — the bare-IP form was triggering install_untrusted_source on registry scanners.

v0.1.1

Moderation-friendly clarity pass: replaced placeholder git clone URL with canonical, softened scanner-flagged wording, added a README section explaining the SUSPICIOUS rating with full transparency about what hearth does and does not do.

v0.1.0

Initial public release. 5-layer health-check skill for homelabs. Read-only by design, configuration-driven, six device archetypes shipped.

Metadata

Slug hearth

Version 0.1.5

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 6

Frequently Asked Questions

What is hearth?

A fast, read-only health-check sweep across every device in a homelab — ping, uptime/load, memory/disk, services, and app health, in 14 seconds with output y... It is an AI Agent Skill for Claude Code / OpenClaw, with 98 downloads so far.

How do I install hearth?

Run "/install hearth" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is hearth free?

Yes, hearth is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does hearth support?

hearth is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created hearth?

It is built and maintained by Only 1 Naren (@nj070574-gif); the current version is v0.1.5.

More Skills