status-web
小雨 bot 状态监测页面技能包。提供实时监控 OpenClaw Agent 工作状态、定时任务和系统健康状况的 Web 界面。包含静态缓存机制确保快速加载,美化 UI 界面,以及独立部署能力。使用场景:需要监控 AI Agent 运行状态、查看最近工作记录、管理定时任务、检查系统健康状况。
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 1 · 1.1k · 13 current installs · 13 all-time installs
byYitao&Agents@ra1nzzz
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The description is a simple status/monitoring web UI, which would reasonably read local status and maybe call OpenClaw APIs. However the shipped code expects to execute the OpenClaw CLI (execSync('openclaw ...')), read files under /home/admin/openclaw/workspace/memory, and relies on additional modules (get-scheduled-tasks-simple) that are referenced but not present. The skill declares no required binaries or env vars despite depending on the openclaw CLI and a specific filesystem layout—this mismatch is incoherent.
Instruction Scope
Runtime instructions and scripts attempt to read agent memory files, call a local OpenClaw HTTP endpoint (update-cache.sh calls http://localhost:18789/api/status), and execute OpenClaw CLI commands. The POST /api/chat endpoint, when given a special activation phrase (or unlocked=true), runs `openclaw agent --session-id <hardcoded-id> --message ...` via shell exec and returns the result. That effectively provides a remote-to-agent relay with only a magic-string check (no proper auth). SKILL.md startup instructions reference start.sh and server.js at top-level, but the repository uses different filenames/paths, creating further mismatch.
Install Mechanism
There is no external install/download step (instruction-only install spec), so no remote code is fetched during install. The risk here comes from the included files themselves (they will run on the host), but there are no URLs/archives to flag.
Credentials
The skill requests no environment variables or credentials, yet the code accesses sensitive local paths (/home/admin/openclaw/workspace and its memory files), expects the 'openclaw' CLI to be present, and calls localhost:18789. For a simple UI this access could be reasonable, but the lack of explicit declared requirements (binaries, config paths, or auth requirements) is disproportionate and hides the true privileges the skill needs.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. However, it opens a local web server exposing an unauthenticated chat API that can invoke the agent CLI (with a hardcoded main session id). That increases blast radius if the server is reachable — you should treat the service as potentially able to influence the agent at runtime and restrict network exposure and authentication accordingly.
What to consider before installing
Key things to consider before installing: 1) The package's files contain hardcoded paths (/home/admin/openclaw/workspace), expect an 'openclaw' CLI, and will exec shell commands — it needs privileges to read agent memory and run the agent CLI. 2) Several inconsistencies exist: the SKILL.md/start instructions reference different script names/paths than provided (start.sh vs start-server.sh; server.js location), and the module get-scheduled-tasks-simple is required by server.js but not included — the package appears incomplete or mispackaged. 3) The POST /api/chat endpoint can forward messages to the OpenClaw agent using a hardcoded mainSessionId after a simple magic-string check; there is no real authentication. If you expose this server to a network, an attacker who discovers the endpoint or magic phrase could interact with the agent. 4) Recommended actions: run this only in an isolated environment (container or VM), do not bind to 0.0.0.0 on public interfaces, require/implement proper authentication for /api/chat, review and fix path/script mismatches (ensure start script points to the correct server.js and included modules exist), remove or harden any ability to exec the OpenClaw CLI from web-exposed endpoints, and audit the memory files the code will read to confirm no sensitive data is exposed. If you cannot verify or fix these issues, treat the package as untrusted and do not run it on production agents.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
小雨 Bot 状态监测页面
概述
这是一个完整的 Web 应用,用于实时监控 OpenClaw Agent 的运行状态。它提供三个主要功能模块:
- 最近工作:显示 Agent 最近完成的工作任务
- 定时任务:显示当前配置的定时任务及其下次执行时间
- 健康状态:显示系统运行时间、CPU 负载、内存可用性、OpenClaw 连接状态等
核心特性
静态缓存优先
- 页面加载时优先从
status-cache.json静态文件读取数据 - 确保用户访问时立即显示内容,避免"加载中..."等待
- 后台静默从 API 获取最新数据并更新显示
美化 UI 界面
- 渐变背景设计(紫色到蓝色)
- 响应式卡片布局,支持桌面和移动设备
- 悬停动画效果,提升用户体验
- 彩色状态指示器(绿色正常、黄色警告、红色错误)
独立部署
- 完全独立的 Node.js 服务器,不依赖 OpenClaw 主进程
- 可以在任意端口运行(默认 8888)
- 支持 Cloudflare Tunnel 外网访问
隐藏彩蛋功能
- 在标题上连续点击 7 次可激活隐藏聊天窗口
- 支持与小雨进行秘密对话(需验证身份)
部署说明
文件结构
xiaoyu-bot-status/
├── SKILL.md
├── server.js # 主服务器文件
├── public/ # 静态资源目录
│ ├── index.html # 主页面(包含静态缓存逻辑)
│ └── status-cache.json # 静态缓存文件
├── scripts/ # 数据获取脚本
│ ├── get-work-tasks-fixed.js # 获取最近工作数据
│ ├── get-scheduled-tasks-simple.js # 获取定时任务数据
│ └── auto-update-work-fixed.js # 自动更新工作记录
└── references/ # 参考文档
└── api-spec.md # API 接口规范
启动服务
# 在技能目录下运行
node server.js
# 或使用启动脚本
./start.sh
自动缓存更新
创建 cron 任务每 3 小时更新缓存:
# 缓存更新脚本位置
/home/admin/openclaw/workspace/skills/xiaoyu-bot-status/scripts/update-cache.sh
API 接口
GET /api/status
返回完整的状态数据,包含:
recent_work: 最近工作列表scheduled_tasks: 定时任务列表health_status: 系统健康状态last_updated: 最后更新时间
POST /api/chat
处理隐藏聊天功能的消息(需要身份验证)
使用场景
- 日常监控:定期查看 Agent 工作状态和系统健康度
- 故障排查:当 Agent 出现异常时快速定位问题
- 任务管理:查看和验证定时任务的执行情况
- 性能优化:监控 CPU 和内存使用情况
- 演示展示:向他人展示 AI Agent 的工作成果
维护建议
- 定期检查缓存更新脚本是否正常运行
- 监控服务器日志 (
server.log) 发现潜在问题 - 根据实际需求调整数据刷新频率(默认 2 秒后台刷新)
- 如需修改 UI 样式,直接编辑
public/index.html中的 CSS 部分
Files
8 totalSelect a file
Select a file to preview.
Comments
Loading comments…