Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Openclaw Control Center
v1.0.0OpenClaw 可视化控制中心。当用户需要查看系统状态、打开控制台、监控 AI 运行指标、管理定时任务/会话/技能,或需要可视化运营面板时触发。触发词:打开控制中心 / 控制中心 / dashboard / 系统总览 / 系统状态。
⭐ 0· 271·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the actual instructions: the skill uses built‑in OpenClaw tools (session_status, sessions_list, cron, gateway, browser, exec) to collect runtime state and produce a dashboard HTML. The declared tool requirements in metadata.json align with what SKILL.md calls. No unrelated external credentials or binaries are requested.
Instruction Scope
Instructions read local reference files bundled with the skill, call OpenClaw tool APIs to collect runtime data, generate ~/.qclaw/workspace/control-center.html and open it with the system browser. This is appropriate for a dashboard, but professional mode explicitly exposes Session Key / Token / API endpoints and other sensitive fields (per references/pro-mode.md). The SKILL.md also contains rules forbidding such exposure in '简洁模式' but permitting it in '专业模式'.
Install Mechanism
Instruction-only skill with no install spec and no downloads — lowest install risk. The INSTALL.md instructs copying files into the local ~/.qclaw workspace (or Windows path) which is normal for a static dashboard template.
Credentials
The skill requires no environment variables or external credentials, which is consistent. However, because it queries gateway/config and session APIs, the generated professional view can display sensitive internal artefacts (Session Keys, tokens, WebSocket/REST endpoints). Those outputs are proportional to a 'pro' monitoring tool but represent sensitive data exposure — the skill does not request credentials itself, but can reveal them.
Persistence & Privilege
always:false and no system-wide config changes. The skill writes a single HTML file to the user's workspace (~/.qclaw/workspace/control-center.html) and opens it; it does not request persistent elevated privileges or modify other skills. Autonomous invocation is allowed by default but is not combined with any additional high privilege here.
Assessment
This skill is coherent for a local control‑center/dashboard: it collects runtime info from OpenClaw and produces a static HTML you can open. Before installing or using '专业模式' (pro mode), be aware it will display sensitive items such as Session Keys, Tokens, Gateway endpoints and full cron/job payloads. Recommendations: 1) Keep READONLY_MODE or other safety defaults enabled on your Gateway if you will view the pro panel. 2) Do not place the skill into a shared/global skills folder if multiple users/agents can access the same workspace. 3) Inspect the generated control-center.html content before opening it in a browser (or open in a text editor) to confirm no secrets are being written you don't want exposed. 4) Avoid running the 'full deployment' steps (git clone / npm install / run) unless you trust the upstream repo and understand it will run a web server on a local port. If you need a safer setup, use the default 简洁模式 and avoid enabling/displaying the professional tables that include keys/tokens.Like a lobster shell, security has layers — review code before you run it.
latestvk971nyt1b6csf3p5d1y7gnbwys849maz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.