wesley dashboard builder
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent Wesley dashboard builder, but it includes root-level deployment to a hard-coded VPS, public live/API exposure, persistence, and realistic demo trading data that could be mistaken for real proof.
Install only if this is specifically for the Wesley/Georges infrastructure and you own the VPS, Cloudflare tunnel, and Telegram bot. Before use, require explicit approval for any SSH, Docker, port, or persistence command; replace hard-coded hosts with your own; restrict API/CORS access; and make demo/fallback performance data visibly labeled so it cannot be mistaken for real live results.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Visitors could interpret simulated trading or portfolio data as real live performance and make payment or trading decisions based on misleading proof.
The skill tells the agent to build public performance-proof pages for VIP conversion while also showing realistic demo data if the live API is offline, without requiring a visible demo/offline label.
Home/Proof → preuve sociale → convertit en VIP ... Fallback demo data — si API offline, données demo réalistes s'affichent ... CTA VIP — toujours présent
Require clear 'demo/offline' labels, disable VIP conversion CTAs when fallback data is shown, and only present live performance as proof when it comes from verified live data.
If followed automatically or by mistake, the agent could change or interrupt a VPS/container environment and expose new services to the network.
The deployment instructions use root access to a hard-coded VPS, modify Docker port exposure, and restart containers, which are high-impact infrastructure actions.
ssh root@72.62.30.28 ... ports: ... "8765:8765" ... "8766:8766" ... docker compose down && docker compose up -d
Require explicit user approval before any deployment command, parameterize the target host, use a least-privileged deployment user, and provide backup and rollback steps.
Using this skill may require handing the agent broad infrastructure privileges that exceed simple static file generation.
The skill's docs imply use of root SSH access and Cloudflare tunnel credentials in addition to the declared Telegram bot token.
scp -r ./mon-dashboard/ root@72.62.30.28:/tmp/dashboard-upload/ ... credentials-file: /root/.cloudflared/<ID>.json
Declare all required credentials and privileges, avoid root logins, use scoped deployment tokens or a restricted user, and confirm the VPS and Cloudflare account belong to the user.
Live trading, portfolio, signal, or photo data could become publicly accessible or scrapeable beyond the intended audience.
The documentation recommends a public tunnel and wildcard CORS for the dashboard API, while the dashboard is described as showing portfolio, trades, signals, and photos.
CORS(app, origins=['*']) # ou limiter aux URLs Cloudflare ... URL publique : https://truth-demonstrate-restore-calgary.trycloudflare.com
Restrict CORS to trusted domains, add authentication for non-public endpoints, separate public proof data from private live data, and avoid exposing the API port directly.
The dashboard and API may continue serving content publicly after the original task is finished, including stale or unintended data.
The skill documents a startup script that keeps the static server and API running automatically after container start.
Auto-lancement au démarrage ... cat > /start-dashboard.sh ... python3 -m http.server 8765 & ... python3 api/dashboard_api.py --port 8766 &
Make persistence opt-in, document stop/cleanup commands, log what is running, and require user confirmation before enabling startup behavior or permanent tunnels.
The environment could break or pull an unexpected package version if this command is run later.
The troubleshooting instructions install an unpinned package into the container with a system-package override; this is purpose-aligned for CORS but changes the runtime environment.
docker exec openclaw-yyvg-openclaw-1 pip3 install flask-cors --break-system-packages
Pin dependency versions, build them into a reviewed image, and avoid --break-system-packages unless the user explicitly accepts the risk.