← 返回 Skills 市场
Observability
作者
yuyonghao-123
· GitHub ↗
· v0.1.1
· MIT-0
154
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install yuyonghao-observability
功能描述
Provides a complete AI agent observability solution with structured logs, metrics, distributed tracing, alert management, and a real-time monitoring dashboard.
安全使用建议
This package appears to implement an observability system and mostly aligns with its description, but review these points before installing:
- Source & provenance: the skill has no homepage or repository link. Prefer packages with a known source or inspect the full repository before trusting it in production.
- Version/manifest inconsistencies: SKILL.md claims v0.2.0 while package.json is v0.1.1 and package-lock.json v0.1.0; the registry also listed it as "instruction-only" despite code files. These mismatches suggest the package or metadata may be stale or poorly maintained.
- Missing/trimmed code or API mismatches: index.js references methods (e.g., createDefaultRules, getStats, getHistory) that were not visible in the provided AlertManager snippet — the repo may be incomplete or truncated in the scanned snapshot. Run the test suite locally and review all source files before use.
- Webhook/notifications: AlertManager can POST alert payloads to configured webhook URLs. Only configure webhooks that you trust. Avoid sending logs or tokens to external endpoints you do not control. Treat webhooks as possible exfiltration channels.
- Run in isolation first: run npm install and npm test in a sandbox (container or VM). Start the dashboard on a non-production machine and inspect logs and network activity to confirm behaviour.
- Inspect logs and default config: default log directory (./logs) may contain sensitive data — rotate and restrict permissions. If you enable auto-reporting or external reporting later, double-check destinations.
If you want, I can: (a) scan the omitted files for suspicious network calls or credential reads, (b) list all dependency versions from package-lock.json, or (c) suggest minimal configuration to run safely in a sandbox.
功能分析
Type: OpenClaw Skill
Name: yuyonghao-observability
Version: 0.1.1
The skill bundle implements a comprehensive observability system, but it contains a significant security vulnerability in `src/dashboard.js`. The dashboard starts an unauthenticated HTTP server (defaulting to port 3001) that exposes sensitive system information, including full application logs via the `/api/logs` endpoint and detailed LLM/MCP execution metadata via `/api/status`. While these features align with the stated purpose of the tool, the lack of any access control or authentication mechanism creates a high risk of information disclosure and data exfiltration if the agent is running in a non-isolated network environment.
能力评估
Purpose & Capability
Name/description match the included code: logger, metrics, tracer, alert manager, dashboard, and monitors are present. The skill requires Node >=18 per SKILL.md/package.json (reasonable). There are no unrelated required env vars or binaries. However the registry metadata said "instruction-only" while the package contains many code files and a package.json—an inconsistency in the manifest.
Instruction Scope
SKILL.md instructs npm install, run tests, and start a local dashboard (node src/dashboard.js). The code implements dashboard and webhook notification handlers that will send alert payloads to configured webhook URLs. That behaviour is expected for an alert manager but it is a potential exfiltration vector if a webhook is pointed to an untrusted external endpoint. The instructions do not ask to read unrelated system credentials, but the implementation writes/reads logs (./logs by default) and exposes API endpoints on localhost which could surface sensitive log/metric data if misconfigured.
Install Mechanism
No formal install spec was provided by the registry (install-only via SKILL.md). The package uses npm (package.json + package-lock.json) and depends primarily on 'winston' and typical npm libs — an expected, moderate-risk install mechanism. There are no downloads from arbitrary URLs or extract operations in the manifest.
Credentials
The skill declares no required environment variables or primary credentials and the code does not require cloud credentials for normal operation. That is proportionate to an observability tool. Note: if you configure webhook notification channels you will supply external URLs; those endpoints could receive alert and (depending on configuration) log/metric content.
Persistence & Privilege
The skill does not request 'always: true' or elevated privileges. It can run a local HTTP dashboard (default port 3001) and writes logs to disk (./logs). Those are normal for a monitoring tool but mean it will create files and listen locally while running. Autonomous invocation is allowed (platform default), which increases blast radius only if combined with other red flags.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install yuyonghao-observability - 安装完成后,直接呼叫该 Skill 的名称或使用
/yuyonghao-observability触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.1
- Updated package.json only.
- No features, fixes, or documentation changes in codebase.
- Internal metadata or dependency update; no impact on user-facing functionality.
v0.1.0
Complete observability system with logging, metrics, tracing, alerts and dashboard
元数据
常见问题
Observability 是什么?
Provides a complete AI agent observability solution with structured logs, metrics, distributed tracing, alert management, and a real-time monitoring dashboard. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 154 次。
如何安装 Observability?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install yuyonghao-observability」即可一键安装,无需额外配置。
Observability 是免费的吗?
是的,Observability 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Observability 支持哪些平台?
Observability 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Observability?
由 yuyonghao-123(@yuyonghao-123)开发并维护,当前版本 v0.1.1。
推荐 Skills