ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claw Insights Snapshot

v1.0.0

Generate visual status cards for your OpenClaw agent as PNG, SVG, or JSON. The rendered cards are designed for social sharing and mobile-friendly channels —...

0· 104·0 current·0 all-time
by@lucal6
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to generate visual status cards for an OpenClaw agent and its instructions call a local HTTP API (127.0.0.1:41041) and a CLI (claw-insights). That purpose is coherent with the described JSON schema (gateway, tokens, sessions). However, the registry metadata lists no required binaries or env vars even though the SKILL.md clearly expects local tooling (claw-insights, openclaw, curl/jq) and an optional bearer token. This mismatch is unexplained and worth confirming with the author or package source.
Instruction Scope
Instructions are narrowly scoped to generating snapshots via a localhost API or CLI and to optional follow-up steps (upload to chat channels). They reference user-local resources only (e.g., ~/.claw-insights/logs/, hostname, gateway metrics). There is no instruction to read arbitrary unrelated files or to transmit data to remote endpoints beyond user-initiated channel uploads. Still, the skill expects access to system metrics and logs, which is reasonable for status cards but should be explicit in metadata.
Install Mechanism
There is no install spec (instruction-only), which is low-risk in general. But because the runtime assumes an installed local service/CLI (claw-insights and openclaw) and use of curl/jq, the absence of any declared install requirements or preconditions is inconsistent and may lead to silent failures or misconfiguration. No external download URLs or archives are present.
!
Credentials
SKILL.md shows using an Authorization Bearer token ($TOKEN) and flags a --no-auth mode, yet the skill metadata declares no required environment variables or primary credential. The use of a bearer token is expected for an API but the skill should declare it. Also running with --no-auth (if binding to an interface wider than localhost) could expose sensitive runtime data; the instructions do not discuss network binding or access controls.
Persistence & Privilege
The skill does not request always:true and has no install script or code that persists itself or modifies other skills. Autonomous invocation is allowed by default but that is normal. Nothing in the package requests elevated or persistent privileges.
What to consider before installing
This skill appears to be a front-end to a local 'claw-insights' service and is otherwise instruction-only; however the SKILL.md expects local binaries and a bearer token while the metadata lists no required binaries or env vars. Before installing or using it: 1) Verify you have the local 'claw-insights'/'openclaw' service and CLI installed from a trusted source. 2) Confirm whether a token is required and where it should be stored; do not paste a high-privilege token into unclear contexts. 3) Check that the local service listens only on localhost (not 0.0.0.0) if you plan to use --no-auth, so you don't expose metrics externally. 4) Inspect/obtain the source for the actual 'claw-insights' service (not just this skill) to ensure it doesn't exfiltrate data. 5) Ask the publisher to update registry metadata to declare required binaries and the expected env var(s) (TOKEN) so the relationship between purpose and required capabilities is explicit.

Like a lobster shell, security has layers — review code before you run it.

latestvk978hthx7eg580bxbhh09qx4jh83179n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Snapshot Status Cards

Announce at start: "I'm generating a visual status card for your OpenClaw agent."

What is a Snapshot?

A snapshot is a server-rendered visual status card — not a browser screenshot. Powered by Satori, it renders in ~200ms with no browser dependency.

The output is designed to look great in chat: compact, readable on mobile, and visually appealing enough to share. It shows token usage, session activity, error counts, and gateway health in a single glance.

Formats: PNG (default), SVG, or raw JSON for programmatic use.

REST API

curl -X POST http://127.0.0.1:41041/api/snapshot \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"detail":"standard","range":"6h","theme":"dark"}' \
  -o snapshot.png

No-auth mode: start with claw-insights start --no-auth, then omit the Authorization header.

Response includes Content-Disposition header with timestamped filename.

CLI

claw-insights snapshot                        # Save to ~/.claw-insights/snapshots/
claw-insights snapshot --quick -o status.png  # Compact mobile snapshot
claw-insights snapshot --format json | jq .   # JSON to stdout
claw-insights snapshot --dry-run              # Preview parameters only

CLI flags: --format, --detail, --range, --theme, --lang, -o <path>, -t <token>, --port, --quick, --dry-run. Run claw-insights snapshot --help for full usage.

Parameters

FieldDefault (REST / CLI)OptionsDescription
detailstandardcompact / standard / fullDetail level
formatpngpng / svg / jsonOutput format
range24h (REST) / 6h (CLI)30m / 1h / 6h / 12h / 24hTime range for metrics
themedarkdark / lightColor theme
langenen / zhLanguage

Note: REST API and CLI have different default range values. REST defaults to 24h (full day overview), CLI defaults to 6h (quick status check). Both accept the same set of values.

Which detail level?

  • compact — Summary numbers only (session count, total tokens, error count). Best for embedding in chat messages.
  • standard — Session list + metrics charts. Default for most use cases.
  • full — Everything: session list, all charts, event log. Best for reports and archival.

Common Workflows

Push status card to a channel

Works with any messaging channel — Slack, Telegram, Discord, WhatsApp, etc.

# 1. Generate a compact status card
curl -X POST http://127.0.0.1:41041/api/snapshot \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"detail":"compact","range":"6h"}' \
  -o /tmp/status.png

# 2. Send via your channel's tool or API
#    The compact detail level is optimized for mobile chat bubbles.

Tips:

  • compact — best for chat messages (summary numbers only, small image)
  • standard — best for daily check-ins (session list + charts)
  • full — best for reports and archival

Scheduled status report

# Full snapshot with 24h range
curl -X POST http://127.0.0.1:41041/api/snapshot \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"detail":"full","range":"24h"}' \
  -o /tmp/daily-report.png

Programmatic metrics extraction

# Get raw data as JSON
curl -X POST http://127.0.0.1:41041/api/snapshot \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"format":"json","range":"6h"}' \
  -o metrics.json

JSON schema: See references/json-schema.md

Error Handling

StatusCauseFix
401Missing or invalid tokenCheck Bearer token, or use --no-auth mode
502OpenClaw gateway not runningopenclaw gateway start
500Internal server errorCheck logs: ~/.claw-insights/logs/
Connection refusedclaw-insights not runningclaw-insights start

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…