Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mission Control
v1.1.2Integrate with Mission Control dashboard to report task progress, publish documents to the Library, request approvals, and submit project requests. Use this...
⭐ 0· 75·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (dashboard, task reporting, library, approvals) match the included files: a backend (Express + SQLite), frontend, lifecycle hook, setup script and full docs. Required binaries (node, npm) are appropriate. The metadata/installation reference to a Node package (mission-control-skill) is consistent with a Node-based install even though full source is included.
Instruction Scope
SKILL.md documents HTTP endpoints and example event payloads (task lifecycle, library publish, approvals). That is within scope. Important notes: examples include file paths and content fields (e.g. source_path: /workspace/docs/... and library:publish content payloads), and session events may include token/cost data in payloads; the lifecycle hook forwards whatever event/data OpenClaw supplies to the configured MISSION_CONTROL_URL. That means agents could send (and the hook will transmit) workspace file contents or session cost/token details if included in events — expected for this integration but a potential data-exfiltration vector if misused.
Install Mechanism
Installation is local: included setup.sh copies the provided app into ~/.openclaw/mission-control, generates a secret and creates backend .env, or can use Docker Compose. The package will run npm to install dependencies (normal for Node apps). There are no downloads from arbitrary shorteners or personal IPs in the provided files. Note: npm install will fetch packages from the public registry — review dependencies if you require strict supply-chain control.
Credentials
The skill itself does not demand unrelated cloud credentials. The install and runtime expect/produce integration secrets: MISSION_CONTROL_HOOK_SECRET and an optional OPENCLAW_GATEWAY_TOKEN (stored in the dashboard .env) so the backend can authenticate with the gateway and validate hook posts. Those are proportional to a dashboard↔agent integration. Be aware that the hook will forward session and tool-call data (including the sessionKey and whatever event payloads OpenClaw provides), so any sensitive data present in events or agent-provided deliverables could be sent to the dashboard backend.
Persistence & Privilege
The skill installs files under the user's OpenClaw directory and copies a hook into ~/.openclaw/hooks and suggests adding an entry to openclaw.json and optionally enabling systemd services or binding to LAN. always:false (no forced inclusion) and autonomous invocation enabled (default) — expected for an integration hook. Because it adds a lifecycle hook and may run a local server, this integration has deeper system presence than instruction-only skills; that's normal but raises the usual operational exposure (service listening ports, CORS, systemd units) which you should control.
Assessment
This skill appears to be what it advertises: a self-hosted dashboard plus an OpenClaw lifecycle hook. Before installing, consider: 1) The setup runs npm install and may pull many third-party Node packages — review package.json/dependencies if you need to limit supply-chain risk. 2) The hook will forward OpenClaw lifecycle events (session keys, tool calls, and any event payloads) to the configured MISSION_CONTROL_URL. If agents include file contents or sensitive session/cost data in events, those will be sent to the dashboard — set a strong HOOK_SECRET and review what agents are allowed to send. 3) The installer and docs provide ways to bind the frontend/backend to the LAN and to run systemd units; only enable those if you intend network exposure and have configured CORS and firewall rules. 4) If you’re uncertain, run the dashboard in Docker or in an isolated environment, inspect installed npm packages, and do not enable the hook in OpenClaw until you’re ready. If you want, I can list the top package.json dependencies to review or point out the exact places agents could unintentionally send local files or credentials.app/backend/src/services/dispatcher.js:51
Environment variable access combined with network send.
app/test-dispatcher.js:26
Environment variable access combined with network send.
hook.ts:33
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97dc12n2r0xan4r9w7p41xwjn83b309
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎛️ Clawdis
Binsnode, npm
Install
Install Mission Control skill
npm i -g mission-control-skill