Approve new channels, and connections to openclaw ui and terminal
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This appears to be the intended local OpenClaw dashboard, but it exposes a gateway token and full browser terminal behind known default credentials and broad Socket.IO access.
Install only if you need a local approvals dashboard and browser terminal. Before running it, change all default credentials, set a strong FLASK_SECRET_KEY, keep it bound to 127.0.0.1, restrict Socket.IO origins, and consider removing the terminal feature if you only need approvals.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the server is reachable and defaults are not changed, someone who knows the defaults may be able to access the dashboard, gateway token, approvals, or terminal.
The dashboard and API have known fallback secrets/passwords, including a default Flask session signing key. These protect access to sensitive OpenClaw functions.
app.config['SECRET_KEY'] = os.environ.get('FLASK_SECRET_KEY', 'a_very_secret_key_for_dev_only_change_me') ... ADMIN_PASSWORD = 'admin' ... AUTH_PASSWORD = os.environ.get('SERVER_AUTH_PASSWORD', 'Bb7766!server')Require strong user-supplied credentials before startup, remove hardcoded fallback passwords/secrets, set FLASK_SECRET_KEY and SERVER_AUTH_PASSWORD, and avoid running until the dashboard password is changed.
Anyone who gains access to the dashboard can run commands as the user running the server.
A browser-accessible terminal is arbitrary local command execution. It is disclosed and purpose-aligned, but it is high-impact and not scoped to a safer command set.
**Terminal access** — The terminal feature gives full shell access to your machine.
Disable or remove the terminal route unless strictly needed, keep the server bound to 127.0.0.1, use strong authentication, and never expose it to a network without a hardened reverse proxy and TLS.
A web page or client that can reach the local server may be able to connect to Socket.IO and observe or interact with sensitive real-time events.
Socket.IO accepts all browser origins and broadcasts pairing data to connected clients, creating unclear origin and data boundaries for a sensitive local dashboard.
socketio = SocketIO(app, cors_allowed_origins="*", async_mode=async_mode, transports=['polling']) ... socketio.emit('new_pairing', pairing_data)Restrict Socket.IO allowed origins to the exact local dashboard origin, authenticate socket connections, and add explicit origin/CSRF protections for state-changing actions.
Approving the wrong request could grant an unintended device or channel access to the OpenClaw gateway.
The skill can mutate OpenClaw device authorization state. This is central to the skill's purpose, but users should recognize the impact of approvals/rejections.
Approve/reject actions use the `openclaw devices approve` and `openclaw devices reject` CLI commands.
Only approve requests you recognize, review device/channel details before clicking, and prefer explicit confirmation for bulk or latest-request approvals.
Future dependency changes or compromised packages could affect the dashboard's behavior.
The setup uses unpinned Python dependencies. This is common for small Flask apps, but it means installs may resolve to different package versions over time.
pip install flask flask-socketio
Pin dependency versions, use a virtual environment, and consider self-hosting or integrity-pinning browser JavaScript dependencies used by the templates.