OpenClaw Dashboard
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a local dashboard, but the reviewed bundle is incomplete and includes a script that can install persistent auto-heal/watchdog services whose code is not included for review.
Install only after obtaining the complete source for the dashboard server and auto-heal/watchdog helpers. If you proceed, run it manually on localhost first, avoid the launchd installer until reviewed, and confirm exactly what local OpenClaw folders it reads.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may be asked to run dashboard code that was not included in the reviewed package, so its behavior and dependencies are unknown.
The launcher executes server.py, but server.py is absent from the supplied file manifest/source. The main runtime behavior cannot be reviewed from the provided artifacts.
exec /usr/bin/python3 server.py
Do not launch or install the dashboard until the complete runnable source, including server.py, requirements.txt, autoheal.py, and app_watchdog.py, is provided and reviewed.
If run, the skill can keep background processes active across sessions and automatically start recovery/watchdog helpers whose actions are not reviewable here.
The script creates and starts persistent user LaunchAgents for the monitor, auto-heal, and watchdog components. The auto-heal/watchdog code is not included in the reviewed bundle.
<key>RunAtLoad</key><true/> ... <key>KeepAlive</key><true/> ... launchctl bootstrap "gui/$UID_NOW" "$AUTOHEAL_PLIST"
Avoid the launchd installer unless you have reviewed the missing helper code. Prefer foreground execution, and use the uninstall script to remove LaunchAgents if already installed.
The dashboard may read or display local agent state, chat, or case information from your machine.
The example configuration points the dashboard at local OpenClaw state and case directories, which may contain private operational context. This is purpose-aligned for monitoring but sensitive.
"home": "~/.openclaw", "session_key": "agent:main:main", "case_roots": ["~/Documents/OpenClaw/cases"]
Keep the dashboard bound to localhost, leave cloud_enabled false unless you understand the data flow, and only point it at case directories you are comfortable exposing in the UI.