Glance
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill This skill bundle is classified as suspicious due to the broad and powerful capabilities it instructs the AI agent to perform. The `SKILL.md` and `widget-sdk.md` documents explicitly instruct the agent to use its own tools for data collection, including `exec` for shell commands, PTY for interactive CLI tools, and `browser` for web scraping. Furthermore, the agent is instructed to set up cron jobs for scheduled data refreshes, which is a persistence mechanism. While these capabilities are presented as necessary for the stated purpose of managing a personal dashboard and collecting widget data, they represent significant high-risk behaviors that could be abused if the agent were compromised or given malicious instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API keys for services like GitHub, Anthropic, OpenAI, Notion, or Linear could be duplicated into another local credential store and then used by widgets or generated server code.
The skill encourages reusing credentials already known to the agent and copying them into Glance without explicit per-credential user approval.
OpenClaw already knows your API keys... OpenClaw doesn't ask you to configure anything. It just stores your existing credentials in Glance's encrypted database
Require explicit user confirmation for each credential, explain where it will be stored and how it will be used, prefer least-privilege tokens, and do not assume credentials in agent memory may be reused automatically.
A local agent or process with GLANCE_URL may be able to mutate dashboard state without a separate Glance token.
The documented workflow lets the agent access local Glance APIs by setting an Origin header rather than using a bearer token, despite those APIs managing widgets and cached data.
Auth note: Local requests with Origin header bypass Bearer token auth
Require bearer-token authorization for mutating and credential-related endpoints, declare any required token in metadata, and avoid treating a spoofable Origin header as authorization.
A malicious or compromised widget instruction could redirect the agent to perform actions unrelated to safe dashboard refreshes.
The agent is told to fetch instructions from a stored widget record and follow them, making dashboard/widget content an authoritative instruction source.
sqlite3 $GLANCE_DATA/glance.db "SELECT json_extract(fetch, '$.instructions')..." ... # Follow the instructions, then:
Treat widget instructions as untrusted data, constrain them to a narrow data-refresh contract, and require user approval before using credentials, changing accounts, deleting data, or performing unrelated tool actions.
Bad refresh instructions can persist and repeatedly influence future agent behavior, especially for scheduled widgets.
Agent refresh widgets persist instructions and schedules that can be reused across future tasks.
fetch.instructions ... REQUIRED if type is agent_refresh; fetch.schedule ... REQUIRED if type is agent_refresh (cron)
Store only structured, validated refresh parameters when possible; review any free-form instructions before enabling schedules; and provide a clear way to disable or reset agent_refresh widgets.
Generated widget code could call unexpected services, misuse stored credentials, or expose dashboard data if not reviewed.
The documented workflow has the agent create server-side widget code that can access stored credentials; the supplied artifacts do not show sandboxing or approval boundaries.
"server_code": "const token = await getCredential('github'); ...", "server_code_enabled": trueRequire user review before enabling server_code, sandbox execution, restrict outbound network access and credential access per widget, and log what each widget is allowed to do.
Running the installer gives code from an external domain control over local setup, dependency installation, and optional service installation.
The recommended one-line install executes a remote script that is not included in the reviewed artifacts.
curl -fsSL https://openglance.dev/install.sh | bash
Inspect the installer before running it, prefer a pinned release or reviewed source checkout, and avoid piping remote scripts directly into a shell.
Glance may keep running and refreshing widgets after the original task is complete.
The macOS service example installs a launch agent that starts automatically and restarts persistently.
<key>RunAtLoad</key> <true/> ... <key>KeepAlive</key> <true/>
Only install the background service if you want always-on behavior, and keep clear stop/unload instructions available.
A dashboard or widget action can wake the agent and cause it to process refresh work, so webhook tokens and allowed actions matter.
The optional refresh flow lets the dashboard call the OpenClaw gateway with a token to trigger agent activity.
OPENCLAW_WEBHOOK_URL=http://localhost:18789/tools/invoke ... clicking refresh ... will instantly wake OpenClaw
Use a narrowly scoped webhook token, restrict the gateway to local trusted callers, and verify what payloads the dashboard can send to OpenClaw.