Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw Dashboard
v1.0.2Use when the user wants a local visual operations dashboard for OpenClaw, with a cute robot presentation, live status visibility, chat access, efficiency tre...
⭐ 0· 192·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims a local dashboard and includes helper scripts and macOS launchd integration — that aligns with a persistent local dashboard. However SKILL.md and README list core runtime files (server.py, monitor_config.py, autoheal.py, app_watchdog.py) that are not present in the provided file manifest, which is an important inconsistency.
Instruction Scope
Runtime instructions and scripts instruct the agent (or user) to start/stop the dashboard and to install launchd plists that will RunAtLoad and KeepAlive Python processes. Those scripts point to server.py and other Python services that are not included, so the true runtime behavior cannot be audited from the provided package. The config example also references a local OpenClaw home (~/.openclaw) and a session_key value, implying the dashboard may read local agent state.
Install Mechanism
There is no external download/install spec (no network fetches), which reduces supply-chain risk. But the install_launchd.sh script writes three LaunchAgents into $HOME/Library/LaunchAgents and bootstraps/enables them via launchctl; that creates persistent background services and log files in the repo directory. This is expected for a local persistent dashboard, but it is privileged persistence and should only be used after code review of the invoked Python scripts.
Credentials
The manifest declares no required env vars or credentials, which is proportional. However config.example.json references a local OpenClaw home (~/.openclaw) and a session_key-like string (agent:main:main). If the real server code reads that location or session data, it could access local agent state or tokens — we can't confirm because the referenced Python files are missing.
Persistence & Privilege
Running the installer will create persistent launchd services (KeepAlive, RunAtLoad, StartInterval) that run as the user and will restart automatically. 'always' is false in registry metadata, so the skill won't be forced into every agent run, but the installer itself grants the package persistent background execution on the machine if executed.
What to consider before installing
Do not run install_launchd.sh or start_bg.sh until you have the missing Python runtime files (server.py, autoheal.py, app_watchdog.py) and have reviewed them. The installer will create persistent macOS LaunchAgents that auto-restart Python processes. Specifically: 1) Verify server.py and the other referenced Python scripts exist and inspect them for network activity, credential access, or code that reads/writes ~/.openclaw or other sensitive paths. 2) Confirm the package origin (repository URL and author) and prefer running in an isolated test account or VM first. 3) If you only want a one-off local demo, use ./run_monitor.sh (foreground) rather than installing launchd services. 4) If you find code that reads session files or makes outbound connections, treat that as a red flag unless you explicitly expect that behavior. If you cannot obtain or review the missing Python files, avoid installing the launchd services — the package cannot be fully audited as provided.Like a lobster shell, security has layers — review code before you run it.
dashboardvk971kgf140jwdf189x4swt5g4d82rzznlatestvk971kgf140jwdf189x4swt5g4d82rzznmonitoringvk971kgf140jwdf189x4swt5g4d82rzznopenclawvk971kgf140jwdf189x4swt5g4d82rzznroboticsvk971kgf140jwdf189x4swt5g4d82rzzn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.