Worktree Codex Parallel

This skill appears to implement parallel worktrees correctly, but it reads and uses secrets that are not declared and posts log data to an external service. Before installing or running: - Treat the dashboard and scripts as code that will run on your machine: review/modify them if you do not want automatic network calls. - Do not run dashboard.py or orchestrate.sh unless you are comfortable that ~/.openclaw/openclaw.json may be read; better: supply GH token and any API keys via environment variables instead of relying on that file. - The dashboard's ai_analyze_async reads OPENROUTER_API_KEY from your OpenClaw config and sends log tails (potentially code/content) to openrouter.ai. If you have sensitive code or secrets in logs, this can leak them. Remove or sandbox that feature, or require an explicit opt-in and an explicit environment variable for the analysis key. - The skill suggests using flags like --dangerously-skip-permissions / --dangerously-bypass-approvals-and-sandbox; those bypass host protections and increase risk. Avoid these unless you fully understand the implications. - Confirm the BASE URL (http://152.53.52.170:3003/v1) and any hardcoded IPs are intended and trustworthy — they point to a self-hosted proxy and could route model requests off your environment. If you still want to use this skill safely: require the owner to (1) declare required env vars in metadata, (2) stop reading ~/.openclaw/openclaw.json automatically (use explicit env vars), and (3) make external AI analysis optional and gated behind an explicit, purposeful opt-in.