Skillv2.0.8

ClawScan security

Free Mission Control for OpenClaw AI Agents · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 3, 2026, 5:49 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The documentation and instructions are generally coherent with a self-hosted dashboard, but the skill instructs you to run external GitHub code that will read and surface potentially sensitive agent/session files (e.g., ~/.claude/projects/, SOUL/MEMORY files) and later can be connected to a cloud service — you should audit the upstream repo and understand exactly what data is read/exposed before running.
Guidance: This skill is documentation for an open-source self-hosted dashboard rather than bundled code, but installing it means cloning and running third-party server code that can read and display agent/session files and optionally connect to a cloud service. Before installing or running: 1) Review the referenced GitHub repository (server/index.js, package.json, any scripts) to confirm which local paths it reads and what it exposes (especially ~/.claude/projects/, SOUL.md, MEMORY.md, and any logged tokens). 2) Run the server in an isolated environment (VM/container) bound to localhost and behind a firewall or reverse-proxy if you need remote access. 3) Do not run any connect script or provide cloud API keys until you trust missiondeck.ai and have inspected the script; prefer a fork you control. 4) If you enable GitHub sync, create a least-privilege token and rotate it after testing. 5) Avoid running this on machines holding high-value secrets unless you have audited the code; if you must test, use throwaway accounts/data. Additional helpful info that would change the assessment: an included code snapshot to review, explicit documentation of exactly which files/fields are read from ~/.claude and how tokens are displayed/obfuscated, or assurances in the repo that tokens are not persisted/exposed.
Findings: [clawhub:previous-shell-install-heuristic] unexpected: SECURITY.md documents that earlier versions contained shell-install metadata which triggered heuristics. Current skill metadata replaced shell entries with link-kind entries; the warning is historical but relevant: the recommended runtime steps (git clone / npm install / node server) still require executing upstream code which must be audited.

Review Dimensions

Purpose & Capability: noteThe skill's name and description (self-hosted mission control / dashboard / Claude session tracking / task sync) line up with the instructions to clone and run a Node server and to have agents point at it. However the README explicitly says the server auto-discovers ~/.claude/projects/ sessions and displays tokens, and allows editing agent SOUL/MEMORY files — sensitive capabilities that are not reflected in registry metadata (e.g., required config paths were declared as none). This is plausible for a dashboard but is higher-sensitivity behavior than a simple 'kanban' widget and should be explicitly documented in metadata.
Instruction Scope: concernSKILL.md instructs the user to git clone a public repo, run npm install and start a Node server from that repo (typical for self-hosted apps). The docs also state the server auto-discovers ~/.claude/projects/ and shows 'tokens' and enables viewing/editing of agent SOUL/MEMORY files and configuring webhooks. Those instructions imply reading local home files and exposing their contents in the dashboard — operations that can leak secrets. The skill bundle itself contains only docs (no executable code), so the actual runtime behavior depends on external repo code; that runtime behavior is not contained in the skill and must be audited before execution.
Install Mechanism: noteThis is instruction-only (no install spec) which is lower surface risk in the registry, but the documentation tells users to clone and run code from a GitHub repository. The metadata links to the public GitHub repo and a demo. No bundled installers or remote archives are included in the skill itself, but executing the recommended steps will run external code (npm install / node server) fetched from third-party sources.
Credentials: concernThe registry declares no required env vars or config paths, yet the docs discuss optional/conditional credentials and configs: GitHub sync needs a GITHUB_TOKEN and GITHUB_REPO, connect scripts mention MISSIONDECK_API_KEY / MISSIONDECK_URL, and the server will create/use a local .mission-control/ directory and may read ~/.claude/projects/. The skill's documentation indicates access to sensitive files (claude sessions with tokens, agent SOUL/MEMORY) and to optional cloud API keys — these are reasonable for the advertised features but are high-value secrets and their handling is not declared in the registry metadata. That mismatch is notable.
Persistence & Privilege: noteThe skill is not always-enabled and allows model invocation (defaults). The potential persistent impact comes from running the external server yourself and pointing agents at it: once agents are configured to talk to the server, the server can receive or be given agent data (SOUL/MEMORY) and store it locally or send it to a cloud endpoint. The registry did not mark always:true and the skill does not modify other skills' configs, but the user-run server could become a persistent collector of agent data if misconfigured.