ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Subagent Dashboard

v1.0.0

Web dashboard for real-time monitoring and management of OpenClaw subagents. Use when monitoring or managing subagents.

0· 366·1 current·1 all-time
by@austindixson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill name/description (Subagent Dashboard) matches what the included code and docs do: a Flask web UI that reads OpenClaw session and transcript files and displays agent status. Required packages (Flask, flask-cors) and the presence of dashboard.py align with the stated purpose.
Instruction Scope
The SKILL.md and README explicitly state the dashboard will read ~/.openclaw session and transcript files and use a subagent-tracker skill — this matches dashboard.py. The app can also request refresh/restart actions and talk to a gateway endpoint; that interaction is expected for managing subagents but expands scope beyond 'view-only' monitoring. The dashboard auto-refreshes frequently (every 3s).
Install Mechanism
There is no remote install/download. start_dashboard.sh creates/uses a local venv and pip-installs the two pinned packages from requirements.txt. This is a low-risk, standard local install pattern.
Credentials
The SKILL.md/README document use of OPENCLAW_HOME/OPENCLAW_WORKSPACE and allow PORT to be set; the Python code also respects those env vars. However dashboard.py also has a GATEWAY_URL / OVERCLAW_GATEWAY_URL env var (defaulting to http://localhost:18800) that is not clearly documented in SKILL.md. The skill does not request secrets, but it does read many local OpenClaw files (sessions, transcripts, runs.json, logs) which is justified for monitoring but worth noting because those files may contain sensitive data.
Persistence & Privilege
always is false and the skill is user-invocable only. It does not request persistent elevated platform privileges or modify other skills' configs. It can, however, call the gateway to request restarts — an expected capability for a management dashboard but one that performs actionable operations.
Assessment
This skill appears to be what it says: a local web dashboard that reads your OpenClaw session/transcript files and can interact with a local gateway to refresh or restart agents. Before installing/running: 1) Review scripts/dashboard.py (already included) to confirm you’re comfortable with it reading ~/.openclaw and invoking any gateway endpoints. 2) Note that the app enables CORS for API routes (origins='*'), so avoid running it on a publicly reachable host; bind it to localhost or firewall it. 3) There is an OVERCLAW_GATEWAY_URL env var used by the code (defaults to http://localhost:18800) that isn’t clearly documented — set it explicitly if you rely on a gateway. 4) The start script creates a local venv and installs Flask and flask-cors; run those steps in an isolated environment if you have security concerns. 5) If you expect only read-only monitoring, be aware the dashboard includes actions (refresh/restart) that will attempt to contact the gateway or run tracker scripts — only run if you trust the gateway and subagent-tracker code. If you want higher assurance, run the dashboard in a restricted container or inspect/hand-audit any network/subprocess calls in dashboard.py before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a7kzqqv6zdvv1c7mhad2kss82gkpf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments