ClawHub
Back to skill
v1.0.1

Skill

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:25 AM.

Analysis

The skill is a transparent dashboard wrapper, but users should notice that it relies on installing and running an external npm CLI that is not included in the reviewed artifacts.

GuidanceBefore installing, verify the external npm package @reghoul/pm-dashboard and understand that starting the dashboard will run a local server and keep configuration, database, and log files under ~/.openclaw/pm-dashboard/.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
npm install -g @reghoul/pm-dashboard

The skill depends on a globally installed npm package whose code is not included in the reviewed artifact set; this is expected for the dashboard purpose but should be verified by the user.

User impactInstalling the npm package will run and trust code from outside the reviewed skill artifact.
RecommendationConfirm the npm package source, maintainer, and version before installing it globally.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
SKILL.md
pm-dashboard init
pm-dashboard start

The documented workflow executes a local CLI and starts a dashboard server. This is central to the skill's purpose and is shown as user-directed setup, not hidden execution.

User impactUsing the skill involves running a local dashboard process on the user's machine.
RecommendationRun these commands only if you intend to start the dashboard, and stop it with the documented stop command when finished.
Rogue Agents
SeverityInfoConfidenceHighStatusNote
SKILL.md
All user state is preserved in `~/.openclaw/pm-dashboard/`

The artifact discloses persistent local dashboard state, including configuration, a SQLite database, and logs. This is purpose-aligned and not hidden.

User impactDashboard configuration, database state, and logs may remain on disk after use and across updates.
RecommendationReview or remove ~/.openclaw/pm-dashboard/ if you no longer want the dashboard state retained.