Claw Insights Install

v1.0.0

Install and run Claw Insights, a read-only observability dashboard that monitors your OpenClaw agent with zero intrusion — no code changes, no cloud dependen...

⭐ 0· 118·0 current·0 all-time

by@lucal6

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

ℹ

Purpose & Capability

The described purpose (local observability reading OpenClaw logs/sessions) aligns with the actions in SKILL.md (reading ~/.openclaw files, writing ~/.claw-insights DB). However, the registry metadata lists no required config paths or env vars while the instructions clearly reference specific files and directories (e.g., ~/.openclaw/agents/main/sessions/sessions.json, /tmp/openclaw/, ~/.claw-insights/*). That metadata omission is an incoherence worth flagging.

Instruction Scope

Runtime instructions direct installing software (curl | sh or npm -g), starting a local server, and reading/writing local files including auth-secret and session files. Those actions are coherent with the stated purpose but the instructions include reading tokens (cat ~/.claw-insights/auth-secret) and environment variables (CLAW_INSIGHTS_API_TOKEN). The SKILL.md gives the agent/user broad filesystem access and an installer command that could run arbitrary code — scope is broader than the metadata suggests.

Install Mechanism

The recommended one-line installer uses curl -fsSL https://claw-insights.com/install.sh | sh. This fetch-and-execute pattern from an unrecognized domain is high-risk (arbitrary remote code execution). The npm global alternative is lower-risk but still relies on a registry package. No vetted release host or checksum is provided.

Credentials

The skill metadata declares no required env vars or config paths, yet the docs rely on multiple CLAW_INSIGHTS_* variables and specific filesystem paths (OpenClaw sessions, logs, and a local auth-secret). The requested local file access is plausible for an observability sidecar, but the metadata underreporting is inconsistent and could mislead users about what will be accessed.

ℹ

Persistence & Privilege

The service is persistent (creates ~/.claw-insights DB and config and runs a local server) but does not request platform-level privileges or always:true. Persistence is limited to the user's home directory. Operational options like --no-auth and token rotation exist; disabling auth or exposing the server to the network would increase risk but are choices exposed to the user.

What to consider before installing

This skill appears to install a local observability service that reads OpenClaw session/log files and stores metrics in ~/.claw-insights. Before installing: (1) Do NOT run the curl | sh one-liner without inspecting the script — download it first and review its contents or use the npm package if you can verify it. (2) Verify the install source (claw-insights.com) and look for a public repository, release checksums, or reviews. (3) Expect the tool to read files under ~/.openclaw and write to ~/.claw-insights; if you need to protect those files, back them up and run the installer in a sandbox or throwaway VM first. (4) Avoid using --no-auth or exposing the service to the network unless you understand the implications. (5) Ask the publisher for signed releases or a repository link; lack of provenance is the primary risk here.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ab82mwjgwqb86vx0vxkwtd5831d6c

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Install Claw Insights

Announce at start: "I'm setting up Claw Insights — a read-only observability dashboard for your OpenClaw agent."

What is Claw Insights?

A read-only observability dashboard for OpenClaw agents. One command installs it, auto-connects to your running gateway — no configuration needed.

Zero intrusion — pure sidecar that reads logs and CLI output only; no code changes, no cloud calls, data stays on your machine
Full session replay — complete transcript timeline with role separation, tool calls, and per-turn token tracking
Shareable snapshots — generate PNG/SVG status cards with themes, languages, and detail levels via REST API

Runs locally with SQLite. Requires Node.js ≥ 22.5 and a running OpenClaw gateway.

Install

# One-line install (recommended)
curl -fsSL https://claw-insights.com/install.sh | sh

# Or via npm
npm install -g claw-insights

Run

claw-insights start             # Default port 41041, opens browser
claw-insights start --port 8080 # Custom port
claw-insights start --no-auth   # Disable authentication
claw-insights stop              # Stop the service
claw-insights restart           # Restart

Verify

curl http://127.0.0.1:41041/health
# → {"status":"ok",...}

Upgrade

npm update -g claw-insights
# Or re-run the install script
curl -fsSL https://claw-insights.com/install.sh | sh

Quick Config

Variable	Default	Description
`CLAW_INSIGHTS_SERVER_PORT`	`41041`	Server port
`CLAW_INSIGHTS_API_TOKEN`	(auto)	Auth token (min 32 chars)
`CLAW_INSIGHTS_NO_AUTH`	`false`	Disable auth entirely
`CLAW_INSIGHTS_DB`	`~/.claw-insights/metrics.db`	SQLite database path
`CLAW_INSIGHTS_RAW_RETENTION_DAYS`	`7`	Raw metric retention (days)

Full configuration reference: See references/configuration.md

Troubleshooting

Symptom	Cause	Fix
`EADDRINUSE`	Port already in use	`claw-insights stop` then retry, or use `--port`
`Cannot connect to gateway`	OpenClaw gateway not running	Start gateway: `openclaw gateway start`
`401 Unauthorized`	Token mismatch	Check `CLAW_INSIGHTS_API_TOKEN` or use `--no-auth`
`Node.js version error`	Node.js < 22.5	Upgrade Node.js to ≥ 22.5

More troubleshooting: See references/troubleshooting.md

Next Step

Use the claw-insights-snapshot skill to generate and share visual status cards via REST API.

Files

3 total

Select a file

Select a file to preview.

Comments

Loading comments…