ClawHub

Security Dashboard

Real-time security monitoring dashboard for OpenClaw and Linux server infrastructure. Monitors gateway status, network security, public exposure, system updates, SSH access, TLS certificates, and resource usage.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 1.2k · 6 current installs · 6 all-time installs
by@vegasbrianc
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (security monitoring of OpenClaw and Linux) matches the code: server.js runs many local system checks (systemctl, ss, fail2ban, tailscale, journalctl, file perms). Requiring access to system status commands is expected. However, some implementation details are odd: the installer creates a dedicated user with no home (/nonexistent) yet server.js expects to read files under $HOME and uses ~ in many shell commands — that will make many OpenClaw-specific checks fail when the service runs as the dedicated user unless run as root or the service user is given a real home or sudo access to read those files.
!
Instruction Scope
SKILL.md stays within the stated scope (install, start, access, configuration) and all runtime instructions operate on local system state. But the installer creates a sudoers file that allows the service user to run a number of system utilities with wildcards (notably 'journalctl *' and 'ss *'), which can expose arbitrary logs or system socket/process info beyond narrowly scoped checks. The README/SKILL.md do not document the exact sudoers entries in detail for user review before installation (they are present in scripts/install.sh).
Install Mechanism
There is no remote download; installation is via bundled scripts that create a systemd service and a sudoers file. Installing writes to /etc/systemd/system and /etc/sudoers.d (sensitive system areas) which is expected for a local monitoring service but is a privileged change and should be inspected prior to running. No external URLs or archives are fetched during install.
!
Credentials
The skill requests no environment variables or external credentials. However, the installer grants the service user passwordless sudo for several commands with globs (systemctl is-active *, systemctl status *, journalctl *, ss *, tailscale status * etc.). For a monitoring dashboard, systemctl/fail2ban/ufw/ss/tailscale access is reasonable, but 'journalctl *' is broad and could reveal unrelated logs (potential secrets). Also running the service as root is explicitly allowed (and documented as dangerous) — the combination of allowed sudo commands and root/run-as-root option raises privilege concerns that should be restricted to the minimum needed.
Persistence & Privilege
The skill installs a persistent systemd service and enables it at boot (normal for a dashboard). always is false and the skill does not request to auto-enable itself across the platform. The main elevation vector is the sudoers entry (NOPASSWD) for the dashboard user — this is normal for local monitoring but increases blast radius if the dashboard process is compromised. The service uses systemd hardening flags (NoNewPrivileges, ProtectSystem, PrivateTmp) which is a positive mitigation.
What to consider before installing
Before installing, review the included files (scripts/install.sh and server.js) yourself or on a test machine. Specific checks: - Inspect /etc/sudoers.d/openclaw-dashboard the installer creates. The rule uses wildcards (e.g., 'journalctl *') — consider narrowing this to only the journalctl invocations needed (for example '-u sshd' or specific time ranges) to avoid exposing unrelated logs. - Prefer running as the dedicated user but give that user a real home or adjust server.js to read the OpenClaw config via a configurable path (do not rely on /nonexistent HOME). If you must run as root, be aware of the higher risk. - Confirm the service runs with the intended hardened systemd flags (NoNewPrivileges, ProtectSystem, ReadWritePaths limited to skill directory). Don’t change these without understanding the consequences. - Audit server.js for any commands that call sudo or parse files (fs.readFileSync and many execSync calls). Ensure they only access the data you want monitored and do not transmit data externally (there are no outgoing network calls in the code provided, but review future updates). - Consider running the dashboard in an isolated environment (container or VM) first to validate behavior and to avoid exposing sensitive host logs or files. - If you accept the install, restrict the sudoers entries to the minimal commands and arguments required and verify file ownership/permissions for the OpenClaw config the dashboard needs to read. If you want, I can produce a tightened sudoers snippet and a checklist of the least-privileged commands the dashboard needs, or point out exact lines in server.js that would need modification to make the service run under a non-login dedicated user.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.2.1
Download zip
dashboardvk9788ad4233j46djrpz1tpvard80z176devopsvk9788ad4233j46djrpz1tpvard80z176infrastructurevk9788ad4233j46djrpz1tpvard80z176latestvk97bv0b4zpv6cdp6m4kk46r04n80ye4rmonitoringvk9788ad4233j46djrpz1tpvard80z176securityvk9788ad4233j46djrpz1tpvard80z176

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Security Dashboard Skill

Real-time security monitoring dashboard for OpenClaw and Linux server infrastructure.

Features

  • OpenClaw Security: Gateway status, binding, authentication, sessions, version tracking
  • Network Security: Tailscale status, public ports, firewall, active connections
  • Public Exposure: Port binding analysis, dashboard security, exposure level assessment
  • System Security: Updates, uptime, load, failed login attempts
  • SSH & Access: Password auth status, fail2ban, banned IPs, active sessions
  • Certificates & TLS: Caddy status, TLS configuration, WireGuard encryption
  • Resource Security: CPU/memory/disk usage, config file permissions

Installation

1. Install the Skill

cd /root/clawd/skills/security-dashboard
sudo ./scripts/install.sh

This will:

  • Ask user preference: Run as dedicated user (recommended) or root
  • Create openclaw-dashboard user with limited sudo privileges (if non-root)
  • Create systemd service with security hardening
  • Configure localhost binding (127.0.0.1 only)
  • Start the dashboard on port 18791
  • Enable auto-start on boot

Security Note: Running as a dedicated user with limited sudo is recommended. The dashboard only needs sudo for security checks (fail2ban, firewall, systemctl status) - not full root access.

2. Access the Dashboard

Localhost only (secure by default):

Via SSH port forwarding:

ssh -L 18791:localhost:18791 root@YOUR_SERVER_IP

Then visit: http://localhost:18791

Usage

Start/Stop/Restart

sudo systemctl start security-dashboard
sudo systemctl stop security-dashboard
sudo systemctl restart security-dashboard

Check Status

sudo systemctl status security-dashboard

View Logs

sudo journalctl -u security-dashboard -f

API Endpoint

Get raw security metrics:

curl http://localhost:18791/api/security | jq

Security Hardening

The dashboard follows security best practices to minimize attack surface:

Dedicated User (Recommended)

The install script creates a openclaw-dashboard user with limited sudo privileges:

  • ✅ No shell access (/bin/false)
  • ✅ No home directory
  • ✅ Only specific sudo commands allowed (fail2ban, firewall, systemctl status)
  • ✅ Cannot execute arbitrary commands

Systemd Hardening

Service runs with security restrictions:

NoNewPrivileges=true      # Cannot escalate privileges
PrivateTmp=true          # Isolated tmp directory
ProtectSystem=strict     # Read-only filesystem except skill dir
ProtectHome=true         # No access to /home
ReadWritePaths=...       # Only skill directory is writable
Restart=on-failure       # Restart only on crashes (not always)

Network Binding

  • Default: 127.0.0.1 (localhost only)
  • Not accessible from network without SSH tunnel or VPN
  • No public exposure risk

Running as Root (Not Recommended)

If you choose root during install:

  • ⚠️ Full system access if compromised
  • ⚠️ No privilege separation
  • ⚠️ Only suitable for trusted, isolated environments

Use the dedicated user option for production deployments.

Configuration

Change Port

Edit /root/clawd/skills/security-dashboard/server.js:

const PORT = 18791; // Change this

Then restart:

sudo systemctl restart security-dashboard

Change Binding

Default: 127.0.0.1 (localhost only - secure)
Alternative: 0.0.0.0 (all interfaces - only with Tailscale!)

Edit server.js line 445:

server.listen(PORT, '127.0.0.1', () => {
  // Change '127.0.0.1' to '0.0.0.0' if needed
});

⚠️ Security Warning: Only bind to 0.0.0.0 if behind Tailscale or firewall!

Customize Metrics

Add custom checks in server.js:

  • getOpenClawMetrics() - OpenClaw-specific metrics
  • getNetworkMetrics() - Network security
  • getSystemMetrics() - System-level checks
  • getPublicExposure() - Port/binding analysis

Dashboard Sections

🦞 OpenClaw Security

  • Gateway running/stopped status
  • Binding configuration (loopback/public)
  • Auth token length and mode
  • Active sessions + subagents
  • Skills count
  • Current version + update availability

🌐 Network Security

  • Tailscale connection status + IP
  • Public ports count
  • Firewall status (UFW/firewalld)
  • Active TCP connections

🌍 Public Exposure

  • Exposure level (Excellent/Minimal/Warning/High)
  • Public port details (service names)
  • Kanban board binding
  • Security dashboard binding
  • OpenClaw gateway binding
  • Tailscale active/inactive
  • Security recommendations

🖥️ System Security

  • Updates available
  • Server uptime
  • Load average
  • Failed SSH logins (24h)
  • Root processes count

🔑 SSH & Access Control

  • SSH service status
  • Password authentication (enabled/disabled)
  • fail2ban status
  • Banned IPs count
  • Active SSH sessions

📜 Certificates & TLS

  • Caddy status
  • Public TLS enabled/disabled
  • Tailscale WireGuard encryption

📊 Resource Security

  • CPU usage percentage
  • Memory usage percentage
  • Disk usage percentage
  • Config file permissions (should be 600)

Security Alerts

Dashboard generates real-time alerts:

Critical (Red):

  • Weak gateway token (< 32 chars)
  • SSH password authentication enabled
  • Insecure config permissions (not 600)
  • Firewall inactive (UFW/firewalld not running)
  • fail2ban inactive (SSH brute-force protection disabled)

Warning (Yellow):

  • Tailscale disconnected
  • 20+ system updates available
  • 10+ failed login attempts in 24h
  • Disk > 80% full

Info (Blue):

  • Gateway exposed without Tailscale
  • Non-standard configurations

Integration Points

Morning Briefing

Add security status to morning report:

curl -s http://localhost:18791/api/security | jq '.status'

Heartbeat Checks

Monitor for critical alerts:

curl -s http://localhost:18791/api/security | \
  jq '.alerts[] | select(.level == "critical")'

Alerting Integration

Pipe alerts to notification systems:

./scripts/check-alerts.sh | xargs -I {} notify-send "Security Alert" "{}"

Architecture

Backend: Node.js HTTP server
Frontend: Vanilla JavaScript (no frameworks)
Port: 18791 (configurable)
Binding: 127.0.0.1 (localhost only)
Service: systemd unit

Files:

  • server.js - Main backend (metrics collection + API)
  • public/index.html - Dashboard UI
  • lib/ - Shared utilities (if needed)

Dependencies

  • Node.js (v18+)
  • systemctl - Service management
  • ss - Socket statistics
  • ufw or firewalld - Firewall check
  • tailscale - VPN status (optional)
  • fail2ban - Ban tracking (optional)
  • openclaw - Gateway monitoring

All dependencies are standard Linux utilities except OpenClaw.

Troubleshooting

Dashboard not loading

  1. Check service status:

    sudo systemctl status security-dashboard

  2. Check logs:

    sudo journalctl -u security-dashboard -n 50

  3. Verify port is listening:

    ss -tlnp | grep 18791

  4. Test API directly:

    curl http://localhost:18791/api/security

Gateway Status "Unknown"

  • Verify OpenClaw gateway is running:

    pgrep -f openclaw-gateway

  • Check OpenClaw config exists:

    cat ~/.openclaw/openclaw.json

Metrics showing "Unknown"

  • Commands may require sudo permissions
  • Check script execution permissions
  • Verify paths exist (sessions, skills, etc.)

Uninstall

sudo systemctl stop security-dashboard
sudo systemctl disable security-dashboard
sudo rm /etc/systemd/system/security-dashboard.service
sudo systemctl daemon-reload

Then remove skill directory:

rm -rf /root/clawd/skills/security-dashboard

Publishing

To publish to ClawdHub:

clawdhub publish security-dashboard

License

MIT

Author

Created by Erdma for Brian Christner's infrastructure monitoring.

Files

8 total
Select a file
Select a file to preview.

Comments

Loading comments…