DashClaw Platform Intelligence
PendingVirusTotal audit pending.
Overview
No VirusTotal analysis has been recorded yet. File reputation checks will appear here once the artifact hash has been scanned.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run local code from the user's environment automatically, which could read project data or behave differently depending on what `livingcode` resolves to.
This directs the agent to execute a local Python module before answering. The `livingcode` module is not included in the manifest or declared as a requirement, so the user cannot review its behavior from the supplied artifacts.
Before answering any question about DashClaw's current structure, routes, env vars, or schema — run a live query: `python -m livingcode query all --json`
Only allow the live-query command after confirming the `livingcode` package/module source. The skill should declare this dependency and ask before running local commands.
A full API key will be sent to whatever `--base-url` or `DASHCLAW_BASE_URL` is configured, and a key prefix may appear in output.
The script uses a DashClaw API key from a flag or environment variable and sends it to the configured server. This is expected for authenticated diagnostics, but it is sensitive credential handling.
const API_KEY = getFlag('api-key', process.env.DASHCLAW_API_KEY || ''); ... if (API_KEY) headers['x-api-key'] = API_KEY;Use a trusted DashClaw URL, prefer a least-privilege or test key, and avoid sharing logs that include key prefixes or diagnostic output.
Running full validation can add test actions, guard checks, and messages to the user's DashClaw account or instance.
The validator can create and update DashClaw records when the explicit `--full` flag is used. The behavior is documented and purpose-aligned, but it mutates the target instance.
--full Run full validation including write tests (creates test data) ... await request('/api/actions', { method: 'POST', ... });Run without `--full` for read-only checks. If write testing is needed, use a test agent ID or staging instance and confirm cleanup expectations.
If invoked with this flag, the script will record setup proof on the DashClaw instance, changing setup/dashboard state.
The script supports an additional flag that posts a validation summary to the configured DashClaw server. It is not listed in the script's top usage comment, although it is gated by an explicit flag and uses the same configured base URL.
const CAPTURE_PROOF = hasFlag('capture-setup-proof'); ... fetch(`${BASE_URL}/api/setup/live-proof`, { method: 'POST', ... body: JSON.stringify(payload) })Document the flag in help text and use it only when the user wants setup proof recorded.