ClawHub

OpenClaw Dashboard

v1.2.0

A real-time monitoring dashboard for OpenClaw agents. Track agents, sub-agents, cron jobs, costs, project progress, and session replay — all in one dark-mode...

0· 121·0 current·0 all-time
by@mrpixelraf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (real-time monitoring dashboard) matches what the bundle does: a React/Vite frontend and an Express backend that reads OpenClaw state under ~/.openclaw (agents, sessions, cron, cost, subagents, workspace files) and serves a monitoring UI. Required resources (none declared) and the files included are consistent with this purpose.
Instruction Scope
SKILL.md instructs running the project locally (npx clawhub install, npm install, npm run dev). The runtime instructions and server code read local OpenClaw files (sessions, auth-profiles, workspace/SOUL.md, MEMORY.md, etc.) — exactly what a dashboard needs. That means the skill will access conversation contents, session metadata, and any tokens stored in those files; this is expected for a local dashboard but important to be aware of.
Install Mechanism
No install spec provided in the registry and SKILL.md shows normal npm-based installation (npm install / npm run dev). The package.json/dependencies are standard for a React + Express app. No remote binary download or obscure install URL was used in the provided manifest. Typical npm dependency supply-chain risks remain (large package-lock), but the install mechanism itself is standard and proportionate.
Credentials
The skill declares no required env vars or credentials. The server uses process.env.HOME/USERPROFILE to locate ~/.openclaw; it does not request external API keys. However, the server will read files under ~/.openclaw (including auth-profiles.json, session JSONL files and workspace files) that may contain API tokens, credentials, or private conversation content. Access to those files is consistent with the dashboard's purpose but is sensitive — the skill does not ask for explicit consent beyond you running it locally.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It does not modify other skills or global agent settings. It launches a local Express server (PORT 3721) and Vite dev server — normal for a web UI. Note: Express defaults to listening on all interfaces unless bound explicitly; this affects network exposure (see guidance).
Assessment
This dashboard appears to be what it claims — a local UI that reads your OpenClaw installation under ~/.openclaw and serves a web interface. Before installing/running it: - Understand what will be read: sessions, logs, workspace files (SOUL.md, MEMORY.md, IDENTIY.md), auth-profiles.json, cron runs — these can include private conversation data and stored API keys. - Run it locally only: bind the Express server to localhost (127.0.0.1) or run behind an authenticated reverse proxy if you need remote access. By default Express will listen on all interfaces, which could expose data if your machine is network-accessible. - Audit secrets: check ~/.openclaw/auth-profiles.json and other files for credentials you don’t want to expose; remove or rotate tokens if needed before running. - Install in an isolated environment: consider a dedicated user account, container, or VM to reduce blast radius from npm dependency risks. The package-lock is large (many deps) — npm install will pull many packages. - Optional: inspect server.js endpoints (e.g., /api/*) to confirm they only serve read-only data you expect and do not provide write, shell-exec, or remote-forwarding functionality. If you need, I can: (a) highlight exact paths the server reads, (b) show the Express routes present in server.js, or (c) suggest a one-line change to bind the server to 127.0.0.1.

Like a lobster shell, security has layers — review code before you run it.

latestvk97abch0gfg0dhmvn149a61a9n83sjdh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖥️ Clawdis

Comments