ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Understand-Anything-Dashboard

v1.1.0

Launch the interactive web dashboard to visualize a codebase's knowledge graph

0· 173·0 current·0 all-time
byYuxiang Lin@lum1104

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lum1104/understand-dashboard.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Understand-Anything-Dashboard" (lum1104/understand-dashboard) from ClawHub.
Skill page: https://clawhub.ai/lum1104/understand-dashboard
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install understand-dashboard

ClawHub CLI

Package manager switcher

npx clawhub@latest install understand-dashboard
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose is to launch a local dashboard for a project's knowledge graph, which is coherent. However, the SKILL.md assumes availability of shell, pnpm, npx, Node, and Vite but the registry metadata declares no required binaries or environment variables. Requiring npm tooling is proportionate to the task, but those dependencies should be declared.
!
Instruction Scope
Instructions tell the agent to run shell commands, install Node dependencies (pnpm install), and run npx vite --open in the background. They reference resolving a plugin root via $0 and an undeclared environment variable (${CLAUDE_PLUGIN_ROOT}). The instructions do not request unrelated system files, but they do rely on runtime environment details that are not declared and may cause the agent to fetch/execute remote packages.
!
Install Mechanism
There is no install spec, yet the runtime steps include pnpm install and npx vite. npx can download and execute packages from the npm registry on demand; pnpm install may run package install scripts. This dynamic fetching/execution from external registries is an elevated risk and should be explicit in the metadata or avoided by requiring pre-installed binaries.
!
Credentials
The skill declares no required environment variables but references GRAPH_DIR (set at runtime) and ${CLAUDE_PLUGIN_ROOT} (an undeclared variable) and suggests using $ARGUMENTS/$0. Accessing or relying on undeclared env vars is a mismatch and could lead to unexpected behavior. No secrets are requested, which is appropriate.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It runs a background local dev server, which is expected for this purpose and not inherently a privilege escalation.
What to consider before installing
This skill intends to start a local Vite-based dashboard and is plausible, but the SKILL.md expects tooling and environment pieces that are not declared. Before installing or running it, verify you have Node, a package manager (pnpm or compatible), and Vite installed. Be aware that the instructions use pnpm install and npx vite, which may download and run code from the npm registry (install scripts or npx-launched packages) — only proceed if you trust the dashboard code and your network. Also check where the plugin expects its files to live: the SKILL.md uses $0 and ${CLAUDE_PLUGIN_ROOT} to locate packages/dashboard, which may not resolve correctly in your agent runtime. Recommended actions: (1) ask the publisher to list required binaries (node, pnpm/npm, npx/vite) and any env variables, (2) prefer running vite from an explicit, pre-installed binary rather than npx, or audit the project's package.json before running pnpm install, and (3) run this skill in a sandboxed or development environment if you have any doubt.

Like a lobster shell, security has layers — review code before you run it.

latestvk979p97t6qff29wwh59qr955ms839cvk
173downloads
0stars
1versions
Updated 22h ago
v1.1.0
MIT-0
Yuxiang Lin@lum1104
latest
Download

/understand-dashboard

Start the Understand Anything dashboard to visualize the knowledge graph for the current project.

Instructions

  1. Determine the project directory:

    • If $ARGUMENTS contains a path, use that as the project directory
    • Otherwise, use the current working directory

  2. Check that .understand-anything/knowledge-graph.json exists in the project directory. If not, tell the user:

    No knowledge graph found. Run /understand first to analyze this project.

  3. Find the dashboard code. The dashboard is at packages/dashboard/ relative to this plugin's root directory. Use the Bash tool to resolve the path:

    PLUGIN_ROOT="$(cd "$(dirname "$0")/../.." && pwd)"

    Or locate it by checking these paths in order:

    • ${CLAUDE_PLUGIN_ROOT}/packages/dashboard/
    • The parent directory of this skill file, then ../../packages/dashboard/

  4. Install dependencies if needed:

    cd <dashboard-dir> && pnpm install --frozen-lockfile 2>/dev/null || pnpm install

  5. Start the Vite dev server pointing at the project's knowledge graph:

    cd <dashboard-dir> && GRAPH_DIR=<project-dir> npx vite --open

    Run this in the background so the user can continue working.

  6. Report to the user:

    Dashboard started at http://localhost:5173
Viewing: <project-dir>/.understand-anything/knowledge-graph.json

The dashboard is running in the background. Press Ctrl+C in the terminal to stop it.

Notes

  • The dashboard auto-opens in the default browser via --open
  • If port 5173 is already in use, Vite will pick the next available port
  • The GRAPH_DIR environment variable tells the dashboard where to find the knowledge graph

Comments

Loading comments...