DashClaw Platform Intelligence
ReviewAudited by ClawScan on May 13, 2026.
Overview
The skill is mostly a DashClaw troubleshooting/reference helper, but it directs the agent to run an undeclared local Python live-query command before answering and includes API-key-powered scripts that can write test data when explicitly enabled.
Install only if you trust the DashClaw tooling and are comfortable approving local command/script execution. Verify what `python -m livingcode` is before allowing the agent to run it, use trusted DashClaw base URLs, prefer least-privilege/test API keys, and avoid `--full` unless you want test records created.
Publisher note
Read-only knowledge skill. Contains: SKILL.md with API surface map, env var catalog, and schema reference; references/ with platform-knowledge, troubleshooting, and api-surface docs; scripts/ with two Node diagnostic helpers (diagnose.mjs, validate-integration.mjs). Scripts are invoked manually by the consumer against their own DashClaw instance — no autorun, no execFileSync to external scripts, no outbound network from the skill itself. The validate script can create test action+message records when run with the explicit --full flag (documented in its --help). Auto-generated by DashClaw's livingcode emitter. v1.0.1 removed bootstrap-agent-quick.mjs after the v1.0.0 ClawScan found it could execute an unauditable project-root script with the caller's API key. The script was DashClaw-repo-internal only and broken-on-arrival for external consumers.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run local code from the user's environment automatically, which could read project data or behave differently depending on what `livingcode` resolves to.
This directs the agent to execute a local Python module before answering. The `livingcode` module is not included in the manifest or declared as a requirement, so the user cannot review its behavior from the supplied artifacts.
Before answering any question about DashClaw's current structure, routes, env vars, or schema — run a live query: `python -m livingcode query all --json`
Only allow the live-query command after confirming the `livingcode` package/module source. The skill should declare this dependency and ask before running local commands.
A full API key will be sent to whatever `--base-url` or `DASHCLAW_BASE_URL` is configured, and a key prefix may appear in output.
The script uses a DashClaw API key from a flag or environment variable and sends it to the configured server. This is expected for authenticated diagnostics, but it is sensitive credential handling.
const API_KEY = getFlag('api-key', process.env.DASHCLAW_API_KEY || ''); ... if (API_KEY) headers['x-api-key'] = API_KEY;Use a trusted DashClaw URL, prefer a least-privilege or test key, and avoid sharing logs that include key prefixes or diagnostic output.
Running full validation can add test actions, guard checks, and messages to the user's DashClaw account or instance.
The validator can create and update DashClaw records when the explicit `--full` flag is used. The behavior is documented and purpose-aligned, but it mutates the target instance.
--full Run full validation including write tests (creates test data) ... await request('/api/actions', { method: 'POST', ... });Run without `--full` for read-only checks. If write testing is needed, use a test agent ID or staging instance and confirm cleanup expectations.
If invoked with this flag, the script will record setup proof on the DashClaw instance, changing setup/dashboard state.
The script supports an additional flag that posts a validation summary to the configured DashClaw server. It is not listed in the script's top usage comment, although it is gated by an explicit flag and uses the same configured base URL.
const CAPTURE_PROOF = hasFlag('capture-setup-proof'); ... fetch(`${BASE_URL}/api/setup/live-proof`, { method: 'POST', ... body: JSON.stringify(payload) })Document the flag in help text and use it only when the user wants setup proof recorded.