ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dashboard

v1.0.1

Build custom dashboards from any data source with local hosting and visual QA loops.

2· 1.8k·24 current·25 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (custom dashboards, local hosting, visual QA) lines up with the SKILL.md: it generates static HTML, creates fetch scripts, and stores dashboards under ~/dashboard/. It does not request unrelated credentials or binaries in the registry metadata.
Instruction Scope
Instructions stay within dashboard-building scope: create ~/dashboard/, generate fetch scripts that read environment variables, and produce HTML/widgets. However guidance is somewhat high-level — the skill endorses connecting to many data sources (APIs, DBs, SSH) and relies on the user/agent to author the appropriate fetch scripts. The docs claim 'credentials via env vars, never in files' but do not require or enforce this; generated scripts should be inspected to ensure they don't embed secrets or write sensitive data to disk.
Install Mechanism
Instruction-only skill with no install spec and no code files to drop on disk. This minimizes installation risk.
Credentials
No environment variables or credentials are required by the registry. The runtime model expects the user to supply service-specific API keys or DB/SSH credentials as environment variables when running fetch scripts, which is proportionate to the described capabilities.
Persistence & Privilege
No always:true, no system-level config paths requested, and the skill stores everything under a user-owned ~/dashboard/ directory. It does not claim to persist or modify other skills or agent-wide settings.
Assessment
This skill is instruction-only and appears coherent with its purpose, but it delegates sensitive actions to generated fetch scripts you will run. Before installing/using: 1) review any generated fetch scripts (~/dashboard/*/fetch.*) to ensure they do not embed credentials or call unexpected endpoints; 2) avoid putting API keys or passwords directly into files — export them in a limited shell session or use a secrets manager; 3) restrict filesystem permissions on ~/dashboard (chmod 700) because data.json may contain sensitive information; 4) when connecting to DBs or SSH, verify the exact commands and endpoints the skill suggests and prefer least-privilege credentials; 5) don't expose the dashboard to the network without adding authentication; and 6) add generated fetch scripts to cron only after manual inspection. These precautions will mitigate the main risks of accidentally storing or exfiltrating secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk9798qecyyb6m64482rjzaawy1819ce4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
OSLinux · macOS · Windows

Comments