Claw Insights Install
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for a local OpenClaw observability dashboard, but it recommends running unreviewed remote install code for software that reads and stores agent session data.
Review the installer or npm package before installing, keep authentication enabled, bind the service to localhost unless you add strong access controls, and confirm the retention/database settings match your privacy expectations.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing could run code that is outside the reviewed skill artifacts, and that software will be positioned to monitor local OpenClaw activity.
The primary install path executes code downloaded at install time, and the npm alternative is not version-pinned. The artifacts do not include that installer/package code for review.
curl -fsSL https://claw-insights.com/install.sh | sh # Or via npm npm install -g claw-insights
Inspect the install script/package before running it, prefer pinned versions or checksums where available, and install only if you trust the publisher and domain.
Agent prompts, tool activity, and operational history may be viewable through the dashboard or represented in stored metrics.
The dashboard reads OpenClaw session/log data and persists metrics locally, with some aggregate retention described as permanent.
`CLAW_INSIGHTS_DB` ... `~/.claw-insights/metrics.db`; `CLAW_INSIGHTS_SESSIONS_PATH` ... `~/.openclaw/agents/main/sessions/sessions.json`; `CLAW_INSIGHTS_LOG_DIR` ... `/tmp/openclaw/`; `CLAW_INSIGHTS_HOURLY_RETENTION` ... `permanent`
Keep the database protected, review retention settings, and avoid running the dashboard on machines or accounts where other users should not see OpenClaw activity.
If authentication is disabled or the service is exposed beyond localhost, other users could access the dashboard’s OpenClaw activity data.
The service supports bearer-token authentication but also documents an option to disable authentication entirely.
claw-insights start --no-auth # Disable authentication `CLAW_INSIGHTS_API_TOKEN` ... Auth token `CLAW_INSIGHTS_NO_AUTH` ... Disable auth entirely
Leave authentication enabled, keep the token secret, and do not expose the service to a network or the internet without a strong access-control layer.