OpenClaw Deck
PassAudited by ClawScan on May 10, 2026.
Overview
The visible artifacts match a local multi-agent chat deck, but users should notice that it installs npm packages, runs a local web server, and sends chats to the configured OpenClaw Gateway.
This skill appears coherent for launching a local OpenClaw deck UI. Before installing, be comfortable with npm install/npm run dev, use only a trusted OpenClaw Gateway URL, avoid putting sensitive tokens in shared URLs, and remember that the visible review did not include all listed source files.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may download packages and run a local web server when launched.
Invocation can install npm dependencies and start a Vite dev server. This is expected for a local web UI and is scoped to the skill directory, but users should understand it runs local commands and third-party npm code.
If not, run `npm install` in `{baseDir}`. ... Start the dev server by running `npm run dev` in `{baseDir}`.Install only if you are comfortable running this npm project locally; review package.json/package-lock.json if you need stricter supply-chain assurance.
If you use a gateway token, it may grant access to your OpenClaw Gateway, and tokens in URLs can be exposed through browser history or shared links.
The UI can use an optional gateway token from a URL query parameter or Vite environment variable. This appears purpose-aligned for authenticated gateway access, but it is not declared as a credential in the registry metadata.
token: params.get("token") || import.meta.env.VITE_GATEWAY_TOKEN || undefinedUse tokens only with trusted gateways, avoid sharing URLs containing token parameters, and prefer local/private configuration where possible.
Messages typed into the deck are sent to the configured OpenClaw Gateway; an untrusted gateway could see those messages.
The deck sends chat traffic to a WebSocket gateway selected by query parameter, environment variable, or the localhost default. This is core functionality, but the destination controls where user messages and any optional auth token go.
params.get("gateway") || import.meta.env.VITE_GATEWAY_URL || "ws://127.0.0.1:18789"Use the default localhost gateway or another gateway you trust, and verify the displayed gateway URL before sending sensitive prompts.
Opening the UI may contact Google Fonts from the browser.
The local UI fetches fonts from Google at runtime. This is common for web apps, but users expecting a fully local/offline interface should notice the external resource.
@import url("https://fonts.googleapis.com/css2?family=DM+Sans:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500&display=swap");If fully local operation is required, remove the remote font import or self-host the fonts.