ClawHub

Task Monitor

v1.0.0

Real-time web dashboard for OpenClaw sessions and background tasks. Mobile-responsive with auto-refresh.

10· 3.5k·20 current·23 all-time
by@jorgermp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, server.js and helper scripts consistently implement a local dashboard that calls the OpenClaw CLI ('openclaw sessions list --json' and 'openclaw cron list --json') and reads session transcripts to produce summaries. Required binaries/env/credentials are minimal or none, which aligns with a local monitoring tool.
Instruction Scope
SKILL.md instructs running npm install and starting the included server which listens on 0.0.0.0:3030 and serves session and transcript-derived content. The code reads transcript files (~/.openclaw/agents/main/sessions/*.jsonl) and returns the first user message (truncated) as task descriptions — this is consistent with monitoring but means user message contents can be exposed via the dashboard (including to LAN).
Install Mechanism
No install spec is provided; dependency installation is the normal 'npm install' using package.json which only lists express. No remote downloads or extracts; low installation risk.
Credentials
The skill requests no environment variables or credentials, which is appropriate. It does read files under $HOME and ~/.openclaw (transcripts, PID/log files) and writes logs, PID, and DASHBOARD.md — these file accesses are expected for a local monitor but are sensitive (may contain user message content).
Persistence & Privilege
always:false and no modifications to other skills or system-wide configs. The skill creates its own log and PID files and writes DASHBOARD.md; this is normal for a service and within its scope.
Scan Findings in Context
[pre-scan-injection-signals-none] expected: The provided static scan reported no injection signals. The absence of findings is consistent with the code being straightforward Node.js/Express and using child_process exec to invoke the OpenClaw CLI (which is expected for this purpose).
Assessment
This skill is internally consistent with its stated purpose, but it reads local OpenClaw transcripts and serves session content over the network. Before installing: 1) Review the getTaskDescription logic and decide whether exposing the first user message (even truncated) is acceptable. 2) If you don't want LAN access, change the bind address in server.js from 0.0.0.0 to 127.0.0.1 or run behind an authenticated reverse proxy/firewall. 3) Be aware the service writes logs, PID files and DASHBOARD.md into your HOME/workspace — check those locations for sensitive content and adjust paths or permissions as needed. 4) Note minor inconsistencies: generate-dashboard.js writes to $HOME/clawd/DASHBOARD.md while update-dashboard.js expects different paths/inputs; test the scripts you plan to use. 5) Run the server in an isolated account/container if you want to limit any accidental data exposure.

Like a lobster shell, security has layers — review code before you run it.

latestvk978w0et5s4a4wfvwmpkqw43f580cs2r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments