ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mission Control

v1.0.0

macOS-native web dashboard for monitoring and controlling your OpenClaw agent. Live chat, cron management, task workshop, scout engine, cost tracking, and more.

3· 4.9k·27 current·27 all-time
by@jzineldin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The stated purpose (macOS-native dashboard) reasonably explains needing node/npm and connecting to an OpenClaw gateway, but the SKILL.md also references running a systemd service (Linux) which contradicts the macOS claim. The repo clone/run workflow is plausible for a dashboard, but some capabilities (auto-detecting gateway token, reading IDENTITY.md) are not declared in metadata.
!
Instruction Scope
Runtime instructions explicitly tell the agent/operator to clone a GitHub repo and run its server, and say the app auto-detects and reads sensitive local files (~/.openclaw/openclaw.json and IDENTITY.md) to obtain a gateway token and agent identity. Those file accesses and the handling of gateway tokens are not declared in requires.config and represent scope creep relative to the registry metadata.
Install Mechanism
There is no formal install spec (instruction-only), which limits packaged risk. However, the SKILL.md instructs cloning and executing code from a third‑party GitHub repo (node server.js), which is expected for this type of tool but still means remote code will run on the host — review the repository before executing.
!
Credentials
The SKILL.md mentions needing a Brave Search API key (for Scout) and accessing the OpenClaw gateway token file, yet the registry metadata lists no required environment variables or config paths. Requesting (or auto-reading) gateway credentials is sensitive and should be explicitly declared; the current mismatch is disproportionate and unexpected.
Persistence & Privilege
The skill is not marked always:true and is user-invocable only. It does not request permanent platform presence or claim to modify other skills; autonomy defaults are unchanged.
What to consider before installing
This skill will clone and run a third‑party web dashboard and (per its instructions) auto-detect and read your OpenClaw gateway token (~/.openclaw/openclaw.json) and IDENTITY.md. The registry metadata does not declare these file/credential accesses, and the README inconsistently mentions macOS and systemd. Before installing: (1) review the GitHub repo code to confirm how it uses and stores your gateway token and any API keys; (2) avoid running it with your real gateway token until you’ve audited it (use a test agent or sandboxed environment); (3) be cautious about supplying Brave Search or AWS credentials — add them only if you understand where they will be sent; (4) prefer running in an isolated VM/container and check mc-config.json for external endpoints and credential storage locations. If you want me to, I can enumerate the exact places in the repo to inspect (startup/server code, config parsing, outbound network calls) — but you must provide the repo contents or a link for review.

Like a lobster shell, security has layers — review code before you run it.

latestvk974xe4816zqqb4f744z3b7xjx80sgzs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖥️ Clawdis
Binsnode, npm

Comments