ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Kanban

OpenClaw Agent Dashboard - A Bloomberg Terminal-style web interface for real-time monitoring of all Agent status, session history, and session file sizes. Us...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 140 · 0 current installs · 0 all-time installs
by@dyh
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The server and frontend implement a dashboard that queries the OpenClaw Gateway and reads agent workspace files — this matches the stated purpose. However the included config.js contains a hardcoded gateway token (token string present) which is not necessary for a generic dashboard distribution and is unexpected in a public skill package.
!
Instruction Scope
SKILL.md claims the Gateway token is auto-loaded from ~/.openclaw/openclaw.json and that the service is 'Local Access Only' and 'CORS Protected'. In reality: server.js uses config.gateway.token (from config.js/config.local.js) as the token; CORS is set to '*' (Access-Control-Allow-Origin: '*'); and the default host is '0.0.0.0'. Those code behaviors contradict the documentation and broaden the network/data exposure surface (endpoints serve local agent files without authentication).
Install Mechanism
There is no external download or installer; the package is file-based and instruction-only for install (copy + npm install). No high-risk remote installs detected.
!
Credentials
Registry metadata declares no required credentials, but config.js embeds a bearer token value directly. The code reads files under the user's home (~/.openclaw/* and workspace-* directories) and will serve their contents over HTTP. The hardcoded token and lack of declared secrets are disproportionate and raise risk of accidental credential exposure or misuse.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. However the default server binds to 0.0.0.0 and serves endpoints without authentication, which combined with permissive CORS increases risk of remote access to local files and the Gateway API if the host is reachable.
What to consider before installing
Do not run this package unreviewed on a production or internet-exposed machine. Specific things to check or change before running: 1) Remove the hardcoded token in assets/agent-kanban/config.js — treat it as a secret; replace it by creating config.local.js with your own token only if you trust the code. 2) Change server host to 127.0.0.1 instead of '0.0.0.0' to avoid exposing the service to the network. 3) Replace the Access-Control-Allow-Origin '*' with a specific origin (e.g., 'http://localhost:3100') or enforce authentication on API endpoints. 4) Audit endpoints (/api/agents/:id/files) — they read arbitrary files under ~/ .openclaw/workspace-*, and currently require no auth; ensure you only run in a trusted environment. 5) Confirm whether the hardcoded token is valid and what account it belongs to — treat it as leaked if valid. If you cannot perform these checks, run the dashboard in an isolated VM/container or decline installing the skill. If you want, I can list exact code lines to change to lock down host/CORS and remove the embedded token, or help craft a safe config.local.js template.
assets/agent-kanban/server.js:28
Environment variable access combined with network send.
!
assets/agent-kanban/server.js:39
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.1
Download zip
agentsvk972psmff46gxykm70hhws3yds834n92dashboardvk972psmff46gxykm70hhws3yds834n92latestvk975q0b3878ajgbbtkfv384vj983yka8monitoringvk972psmff46gxykm70hhws3yds834n92openclawvk972psmff46gxykm70hhws3yds834n92terminalvk972psmff46gxykm70hhws3yds834n92

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Agent Kanban

OpenClaw Agent Dashboard - Bloomberg Terminal Style Interface.

Features

  • Real-time Monitoring - View all Agent online status and last active time
  • Auto Grouping - Group by project prefix (main, pmo, alpha, beta)
  • Heartbeat Display - Show agent heartbeat interval from openclaw.json
  • Session History - Click cards to view recent conversation history
  • File Viewer - View Agent's OKR.md, SOUL.md, HEARTBEAT.md
  • Session Size Monitor - Display .jsonl file size with threshold warnings
  • Send Message - Send messages to agents directly from the UI
  • Font Size Control - 10px-24px with reset button (R)
  • Bloomberg Style - Bloomberg Terminal style interface
  • Auto Config Reload - Hot reload when openclaw.json changes
  • Configurable Timeouts - All timeouts and paths configurable via config.js

Tech Stack

  • Backend: Node.js + Express
  • Frontend: React 18 (CDN)
  • Avatar: DiceBear Pixel Art API
  • API: OpenClaw Gateway HTTP API

Quick Start

1. Deploy

# Copy project to destination
cp -r assets/agent-kanban /path/to/destination/
cd /path/to/destination/agent-kanban

# Install dependencies
npm install

2. Start (No Manual Config Needed!)

# Ensure Gateway is running
openclaw gateway start

# Start Kanban
npm start

# Access
# http://localhost:3100

Gateway Token is auto-loaded from ~/.openclaw/openclaw.json - no manual configuration required!

3. (Optional) Custom Config

cp config.js config.local.js
# Edit config.local.js if needed

Config options:

module.exports = {
  server: { port: 3100, host: '0.0.0.0' },
  gateway: {
    url: 'http://127.0.0.1:18789',
    token: ''  // Leave empty to auto-load from openclaw.json
  },
  openclaw: {
    homeDir: '.openclaw',
    configFilename: 'openclaw.json',
    binPath: '/home/dyh/.nvm/versions/node/v22.18.0/bin/openclaw',
    nodePath: '/home/dyh/.nvm/versions/node/v22.18.0/bin'
  },
  timeout: {
    gatewayHealth: 5000,
    gatewayInvoke: 30000,
    sendMessage: 120
  },
  frontend: {
    refreshInterval: 30000,
    highlightThreshold: 60000,
    activeThreshold: 300000
  },
  refreshInterval: 60000,
  sessionSizeThresholds: { warning: 500, danger: 1024 }
};

Prerequisites

  1. OpenClaw installed and running
  2. Gateway started (openclaw gateway start)
  3. Node.js 18+ installed

UI Operations

ActionDescription
Click agent cardView details (files + messages)
- / + buttonAdjust font size (10-24px)
R buttonReset font size to 13px
CLOSE buttonClose agent + hide right panel
HIDE buttonHide right panel
Input box + SENDSend message to selected agent

Send Message to Agent

Click on an agent card, then use the input box at the bottom of the right panel to send messages directly to the agent.

  • Uses openclaw agent --agent <id> --message <msg> CLI command
  • Message appears in agent's session history
  • Agent responds based on its role and context

Error Handling

ErrorCodeSolution
Gateway 未启动GATEWAY_NOT_RUNNINGRun openclaw gateway start
Gateway 响应超时GATEWAY_TIMEOUTCheck Gateway health
Gateway Token 无效TOKEN_INVALIDCheck token in openclaw.json
Gateway Token 未配置TOKEN_MISSINGRun openclaw wizard
网络错误NETWORK_ERRORCheck network connection

Security

  • Local Access Only: Gateway URL must be localhost or private IP
  • CORS Protected: Only allows requests from localhost:3100
  • Token Validation: Validates Gateway token before API calls

Get Gateway Token

# Method 1: From config file
cat ~/.openclaw/openclaw.json | jq '.gateway.auth.token'

# Method 2: From CLI
openclaw gateway status

Agent Kanban(中文)

OpenClaw Agent 状态监控面板 - Bloomberg Terminal 风格界面。

功能特性

  • 实时监控 - 显示所有 Agent 的在线状态、最后活跃时间
  • 自动分组 - 按项目前缀自动分组(main、pmo、alpha、beta)
  • 心跳显示 - 从 openclaw.json 读取并显示 Agent 心跳间隔
  • 会话历史 - 点击卡片查看最近的对话记录
  • 文件查看 - 查看 Agent 的 OKR.md、SOUL.md、HEARTBEAT.md
  • Session 大小监控 - 显示 .jsonl 文件大小,超过阈值高亮警告
  • 发送消息 - 直接从界面给 Agent 发送消息
  • 字号调节 - 10px-24px,带重置按钮
  • 彭博风格 - Bloomberg Terminal 风格界面
  • 配置热更新 - 自动检测 openclaw.json 变化并重新加载
  • 可配置超时 - 所有超时和路径可通过 config.js 配置

快速开始

1. 部署

cp -r assets/agent-kanban /path/to/destination/
cd /path/to/destination/agent-kanban
npm install

2. 启动(无需手动配置!)

openclaw gateway start
npm start
# 访问 http://localhost:3100

Gateway Token 自动从 ~/.openclaw/openclaw.json 读取,无需手动配置!

获取 Gateway Token

cat ~/.openclaw/openclaw.json | jq '.gateway.auth.token'

Changelog

2026-03-31

  • New Feature: Send message to agent from UI
  • New Feature: /api/config endpoint for frontend configuration
  • Improvement: All hardcoded values moved to config.js
  • Fix: File expand height improved

More Documentation

See references/README.md for full documentation.

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…