ClawHub

OpenClaw Deck

v0.1.0

Multi-column chat deck UI for OpenClaw agents. Launch a local web interface to manage and chat with multiple agents side-by-side.

4· 902·6 current·6 all-time
by@kellyclaudeai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included frontend code and the declared requirements (node, npm). The files implement a browser UI that connects to a Gateway WebSocket. Required binaries (node, npm) and optional env vars (VITE_GATEWAY_URL / VITE_GATEWAY_TOKEN) are appropriate and expected.
Instruction Scope
SKILL.md instructs the agent to run `npm install` (if node_modules missing) and `npm run dev` in the skill directory and to point the user at http://localhost:5173. Those steps are within scope for launching a local frontend. The code references import.meta.env and URL params for gateway URL/token (expected). Be aware the UI will fetch Google Fonts (fonts.googleapis.com) when loaded in the browser and will attempt WebSocket connections to the configured gateway URL (default ws://127.0.0.1:18789).
Install Mechanism
This is an instruction-only install spec but includes package.json and package-lock.json. Running `npm install` will fetch many packages from the npm registry (package-lock is present). This is expected for a modern frontend but carries the usual supply-chain risk (packages may run lifecycle scripts). There is no download-from-arbitrary-URL or extract step in the skill manifest.
Credentials
No credentials are required by the skill. The optional VITE_GATEWAY_URL and VITE_GATEWAY_TOKEN (used to configure the Gateway connection) are proportionate to the purpose. The code does not request unrelated env vars or other service credentials.
Persistence & Privilege
The skill does not request always:true or elevated persistence. It runs a local dev server and does not attempt to modify other skills or system-wide configuration. Autonomous invocation (disable-model-invocation:false) is the platform default and is not combined with other red flags.
Assessment
This skill appears to do exactly what it says: start a local Vite dev server hosting a deck UI that connects to a local OpenClaw Gateway. Before you install/run it, consider: (1) npm install will fetch packages from the public registry — review package-lock.json or run in an isolated environment if you are cautious, since npm packages can include install scripts; (2) the web UI will load Google Fonts (external network call) and will open WebSocket connections to the gateway URL you supply (default ws://127.0.0.1:18789) — do not pass secrets in the browser URL (token in the query string can be exposed in history); (3) verify you actually want a dev server bound to localhost:5173 on your machine; (4) if you need higher assurance, inspect src/lib/store.ts and other omitted files or run npm install in a sandbox/VM. Overall the skill is internally consistent with its description.

Like a lobster shell, security has layers — review code before you run it.

latestvk97783nn20bwvmc0bz1gwfpm1x80t4jr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
OSmacOS · Linux · Windows
Binsnode, npm

Comments