Dashboard Manager2
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly a local dashboard manager, but its code exposes undocumented local API actions that can delete documents and create scheduled prompt rules despite documentation claiming only data.json access.
Install only if you trust the local Jarvis dashboard server on localhost:8009 and are comfortable with the skill mutating dashboard data. Before enabling it, update the documentation, restrict or confirm delete/rule actions, and verify what notes, documents, and scheduled prompts the dashboard API can expose.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could change or delete dashboard content or create automation rules on the local Jarvis server if invoked.
The code exposes destructive and mutating local API operations, including document deletion and rule creation, that are not clearly documented as user-confirmed workflows.
async function deleteDocument(docId) { await fetch(`${API_URL}/api/documents/${docId}`, { method: 'DELETE' }); return true; } ... async function addRule(rule) { ... const result = await apiPost('/api/rules', rule);Document every exposed API action, require explicit user confirmation for deletes and rule creation, and validate IDs and rule contents before sending them to the local server.
A user may believe the skill only reads and writes one file, while it can actually perform broader mutations through the local dashboard API.
This safety claim understates the implementation: index.js uses a localhost API and includes document and rule endpoints beyond direct access to one data.json file.
- **Accès limité** : Seul le fichier `data.json` est accessible
Update the documentation and registry metadata to accurately describe localhost API access, document/rule management, delete capability, and the expected local server.
The skill could keep updating dashboard state without the user seeing each action or understanding when it is active.
The skill instructs ongoing silent background activity, but the artifacts do not describe user controls, opt-in boundaries, or how to stop the behavior.
3. **Auto-sync** : Heartbeat toutes les 2 secondes 4. **Silent mode** : Fonctionne sans intervention conversationnelle
Make background behavior opt-in, show status to the user, provide a stop/disable mechanism, and avoid silent autonomous updates unless clearly requested.
Private dashboard documents or stored prompts could be pulled into future agent context or altered in ways that affect later behavior.
The implementation can read and write persistent Knowledge Hub documents, but the user-facing documentation does not bound which documents are accessed, retained, or reused.
async function createDocument(title, content, type = 'report', tags = []) { ... apiPost('/api/documents', { title, content, type, tags }); } ... async function getDocuments() { return await apiGet('/api/documents') || []; }Clearly disclose document access, limit retrieval to user-selected documents, add retention and exclusion controls, and treat stored prompts/documents as untrusted content.