OpenClaw Web Chat Pro
生产级AI聊天网页应用,支持多模型、流式输出、会话持久化和导出,含文件上传、语音及多设备同步等高级功能。
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 441 · 0 current installs · 0 all-time installs
by@qqkzlm
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code, dependencies (express, socket.io) and public UI files align with a web chat app. However the root package.json includes a postinstall script that copies public/* into ~/.openclaw/workspace/chat-web/public/, which is outside this skill's own folder and not documented in SKILL.md; that cross-workspace write is disproportionate to the described purpose.
Instruction Scope
SKILL.md instructs users to run npm install and npm start but does not mention the postinstall action that will copy files into the user's ~/.openclaw workspace. Running npm install therefore has side effects not disclosed in the runtime instructions.
Install Mechanism
There is no external download URL, but npm install will run scripts. The root package.json defines postinstall that performs a cp -r public/* to ~/.openclaw/workspace/chat-web/public/ (writing into home). The src/package.json declares an install script (chmod +x install.sh && ./install.sh) and a postinstall node postinstall.js, but neither install.sh nor postinstall.js appear in the provided file list — this mismatch increases risk because referenced install-time scripts are not visible in the manifest.
Credentials
Registry metadata declares no required env vars, but SKILL.md asks users to create a .env with PORT, PASSWORD and ALLOWED_ORIGINS. Defaults (PASSWORD=admin123, ALLOWED_ORIGINS=*) are insecure and not emphasized in the manifest; no external API keys or unrelated credentials are requested.
Persistence & Privilege
The package does not request platform 'always' privilege, but the postinstall copy writes into ~/.openclaw/workspace/chat-web/public — modifying another workspace's files/config is a privilege escalation across skills and may persist files beyond this skill's directory. This behavior is not documented in SKILL.md.
What to consider before installing
What to check before installing:
- Inspect package.json scripts: the root postinstall runs `cp -r public/* ~/.openclaw/workspace/chat-web/public/`. Decide whether you want files copied into that path; back up ~/.openclaw/workspace/chat-web/public beforehand.
- Audit install-time scripts: src/package.json references `install.sh` and `postinstall.js` but those files aren't listed — confirm they aren't present or malicious before running npm install.
- Review src/server-v15.js for any outbound network calls, telemetry, or hidden endpoints (send logs/credentials out). If you can't audit the file, run in an isolated VM or container.
- Change the default PASSWORD (admin123) and avoid ALLOWED_ORIGINS=* in .env; enforce a strong password and restrict CORS to trusted origins.
- To avoid unintended postinstall actions, consider running npm install with scripts disabled (e.g., npm install --ignore-scripts) while you inspect files, or inspect the package contents in a sandbox.
- If you need private/production use, prefer deploying only after full code review; for casual testing run inside a disposable environment.
If you cannot validate the install-time scripts and server code, treat this package as higher risk and do not install on a production machine.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download zipaichatlatestweb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
OpenClaw Web Chat Pro
版本: 1.0.0
作者: 贝贝
描述: 生产级 AI 聊天网页应用
安装
clawhub install webchat-pro
使用
cd ~/.openclaw/workspace/skills/webchat-pro
npm install
npm start
功能
- ✅ 基础聊天(免费)
- ✅ 多模型切换
- ✅ 流式输出
- ✅ 会话持久化
- ✅ 对话导出
- ✅ 深色模式
Pro 功能(¥9.99/月)
- 📁 文件上传
- 🎤 语音输入/输出
- 🔄 多设备同步
- 👥 团队协作
- 📊 高级统计
企业功能(¥99/月)
- 🔒 私有部署
- 🔧 自定义模型
- 🔑 SSO 登录
- 📝 审计日志
- ⚡ SLA 保障
配置
编辑 .env 文件:
PORT=4000
PASSWORD=admin123
ALLOWED_ORIGINS=*
API
POST /api/chat- 发送消息GET /api/models- 模型列表GET /api/health- 健康检查
支持
Files
16 totalSelect a file
Select a file to preview.
Comments
Loading comments…