Back to skill
Skillv1.0.1
ClawScan security
Approve new channels, and connections to openclaw ui and terminal · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 21, 2026, 11:14 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions are coherent with a local approvals/dashboard + browser terminal for OpenClaw; it asks for no unrelated credentials and its behavior matches the description, though it exposes sensitive local state and includes powerful terminal functionality that you must protect before running.
- Guidance
- This package appears to do what it says: a local dashboard that reads OpenClaw state files and provides an interactive terminal. Before installing or running it, do the following: 1) Change the defaults immediately — set a strong FLASK_SECRET_KEY (via env) and a strong SERVER_AUTH_PASSWORD; also change ADMIN_USERNAME/ADMIN_PASSWORD in server.py or make them configurable via environment variables. 2) Remember this app reads and displays sensitive files (gateway token, pairing JSONs); anyone who can access the web UI or the API endpoints can view or act on those secrets. The /pair and /sync API endpoints accept a JSON password (plaintext) for automation—only use them from trusted local scripts and keep the password strong. 3) The terminal provides a full shell; remove or disable the /terminal route if you do not need it. 4) Review server.py for how it invokes the OpenClaw CLI (subprocess usage). Ensure arguments are passed without shell=True or unsafe string concatenation to avoid command injection if you expose the server beyond localhost. 5) Do not bind to 0.0.0.0 or expose this service to untrusted networks without putting it behind HTTPS and strong access controls. 6) If you rely on external CDNs (socket.io,xterm.js), consider hosting assets locally if you require an air-gapped or stricter environment. If you want, provide the rest of server.py (the truncated portion) and I will inspect the exact subprocess/pty usage for additional concerns.
Review Dimensions
- Purpose & Capability
- okName/description (dashboard for device/channel approvals and a live terminal) match the code and SKILL.md. The server reads OpenClaw state files (~/.openclaw), exposes pairing management endpoints, and provides an in-browser terminal — all consistent with the stated purpose. There are no unrelated required env vars or binaries.
- Instruction Scope
- noteSKILL.md explicitly instructs where to place files, how to install Flask/SocketIO, and to change embedded default credentials. It also documents that the app reads sensitive OpenClaw files (pending/paired device JSON, channel pairing JSON, and gateway token) and that the terminal exposes a full shell. Those behaviors are within purpose but are high-sensitivity operations; the docs warn about them. One operational note: the web templates load Socket.IO (and likely other assets) from public CDNs; SKILL.md does not call this out but this is normal for a local UI.
- Install Mechanism
- okThis is an instruction-only skill (no installer spec). The instructions tell the user to pip install flask and flask-socketio — reasonable and proportional. No remote downloads/executables are pulled by the skill itself.
- Credentials
- noteThe skill requests no special environment variables in the registry metadata. The code supports optional env vars (FLASK_SECRET_KEY and SERVER_AUTH_PASSWORD) and provides defaults in server.py for ADMIN_USERNAME/ADMIN_PASSWORD/AUTH_PASSWORD which SKILL.md tells you to change. That is consistent, but embedding default admin credentials in the code is risky — the SKILL.md repeatedly warns not to run with defaults. API endpoints (/pair, /sync) accept a JSON password for automation; ensure you set a strong SERVER_AUTH_PASSWORD before use.
- Persistence & Privilege
- okThe skill does not request always:true or any platform privileges. It runs as a local Flask app and does not modify other skills or system-wide OpenClaw config beyond invoking OpenClaw CLI operations (approve/reject). Autonomous model invocation settings are default and not a special privilege in this package.