ClawHub

openclaw-dashboard

v1.7.3

Real-time operations dashboard for OpenClaw. Monitors sessions, costs, cron jobs, and gateway health. Use when installing the dashboard, starting the server,...

7· 2.5k·24 current·24 all-time
byJonathan Jing@jonathanjing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the bundled files (frontend, api-server.js, model registry). Declared required binaries (node, openclaw) are reasonable for a dashboard that inspects OpenClaw state. A small mismatch: the code shown primarily reads files and talks to local gateway endpoints rather than invoking an 'openclaw' CLI in visible snippets, but requiring the binary is reasonable for an admin tool that may call it in other code paths.
Instruction Scope
SKILL.md and api-server.js explicitly declare and use local OpenClaw data (~/.openclaw, workspace, sessions, cron, watchdog) and local gateway hooks (127.0.0.1:18789/18790). That is in-scope for an operations dashboard. The instructions and code also include endpoints for triggering tasks, uploading attachments (including optional absolute-path copy), and optional provider audits which contact external provider APIs if enabled. These behaviors are gated by explicit env flags, but they expand the agent's runtime surface significantly when turned on.
Install Mechanism
No external download/install steps are declared (instruction-only install spec). The bundle contains server and frontend JS that run under node. There is no suspicious remote install URL or archive extraction in the metadata provided.
!
Credentials
No required secrets by default, which is good, but many powerful admin credentials and flags are listed as optional (OPENAI_ADMIN_KEY, ANTHROPIC_ADMIN_KEY, NOTION_API_KEY, OPENCLAW_HOOK_TOKEN, OPENCLAW_AUTH_TOKEN). The code can also auto-load a keys.env file into process.env when ENABLE_KEYS_ENV_AUTOLOAD is set. While these are optional and documented, they are high‑sensitivity and must only be provided in trusted, local deployments — otherwise they enable provider org queries or expose secrets to the dashboard process.
Persistence & Privilege
The skill is not always-enabled and does not request permanent platform-wide inclusion. Mutating capabilities (service restart, backups, npm install, file-copy by absolute path, session patching) exist but are explicitly gated behind environment flags and localhost checks; that model is coherent for an admin tool. There is no evidence it modifies other skills' configs automatically.
Assessment
This is an administrative dashboard that intentionally reads OpenClaw runtime files and can perform high‑privilege actions only when you opt in. Before installing or enabling features: 1) Review api-server.js yourself (it runs as a local Node HTTP server). 2) Never set ENABLE_KEYS_ENV_AUTOLOAD unless you trust the host — it will import keys.env into process.env. 3) Only provide OPENAI_ADMIN_KEY / ANTHROPIC_ADMIN_KEY / NOTION_API_KEY if you need provider audit features, and prefer read‑only / scoped keys. 4) Keep the server bound to localhost and set OPENCLAW_AUTH_TOKEN before exposing it externally; verify DASHBOARD_CORS_ORIGINS. 5) Avoid enabling absolute-path attachment copy, mutating ops, or systemctl restart on multi-user or internet-exposed machines. If you want higher assurance, run the dashboard in an isolated VM or container and audit any outgoing network calls when enabling provider-audit features.

Like a lobster shell, security has layers — review code before you run it.

latestvk977g0xyt764rng13rmjx1m4vx828crv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binsnode, openclaw

Comments