Clawstatus Dashboard

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill is a straightforward dashboard installer/runner, but it fetches live GitHub code and can expose the dashboard on the LAN.

This skill appears coherent for installing and running ClawStatus. Before using it, make sure you trust the GitHub repository it installs from, consider using a virtual environment, and avoid binding the dashboard to all network interfaces unless you intentionally want LAN access.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities

Medium

What this means

Installing or updating could run whatever code is currently in that GitHub repository.

Why it was flagged

The installer fetches or updates live code from an external GitHub repository without pinning a commit or release. This is expected for an install/update skill, but users must trust the upstream repository and its future changes.

Skill content

REPO_URL="${REPO_URL:-https://github.com/NeverChenX/ClawStatus.git}" ... git clone "$REPO_URL" "$TARGET_DIR" ... git -C "$TARGET_DIR" pull --ff-only

Recommendation

Review the upstream repository before installing, consider pinning to a trusted tag or commit, and avoid using a modified REPO_URL unless you trust it.

#ASI05: Unexpected Code Execution

Medium

What this means

The install step can affect the user's Python packages and execute setup/build behavior from the cloned project.

Why it was flagged

The script installs the cloned Python project in editable mode, which can execute package installation logic and modifies the user's Python environment. This is purpose-aligned for deploying the dashboard.

Skill content

python3 -m pip install --user --break-system-packages -e "$TARGET_DIR"

Recommendation

Prefer installing in a virtual environment or dedicated user account, and avoid --break-system-packages unless it is truly needed.

#ASI02: Tool Misuse and Exploitation

Low

What this means

Other devices on the same network may be able to access the dashboard if the host firewall permits it.

Why it was flagged

The recommended run command binds the dashboard to all network interfaces and the verification instructions explicitly include LAN access. This is disclosed and consistent with the stated LAN-host purpose, but it widens who may reach the dashboard.

Skill content

foreground: `clawstatus --host 0.0.0.0 --port 8900 --no-debug` ... LAN: `curl -I http://<lan-ip>:8900/`

Recommendation

Bind to 127.0.0.1 when LAN access is not needed, and use firewall rules or authentication appropriate for the environment.