ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Dashboard

v1.0.0

实时监控多个AI Agent的运行状态和Token消耗,支持会话列表和飞书群组富文本状态推送。

0· 122·1 current·1 all-time
by@youhaveamydream-spec
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the implementation: collector runs `openclaw status`, parses sessions/tokens, renderer builds a local dashboard, and index.js exposes /status, /sessions, /status-card commands. Requesting no credentials and no unrelated binaries aligns with a local dashboard.
Instruction Scope
SKILL.md explicitly instructs using `openclaw status` (local command) which is exactly what the code does. The README and SKILL.md mention Feishu card push; the code builds an interactive card payload but does not perform an HTTP request itself — this implies the platform or OpenClaw 'channel' is expected to handle sending. A prompt-injection pattern (unicode control characters) was detected in SKILL.md and should be manually reviewed.
Install Mechanism
No install spec (instruction-only skill) and bundled code files only. No downloads or archive extraction are present. Risk from install-time behavior is minimal; runtime will execute included JS when invoked.
Credentials
No required env vars or credentials declared. The code only reads process.env.COMPUTERNAME for a node name (non-sensitive). No secrets, API keys, or unrelated service tokens are requested.
Persistence & Privilege
Skill is not marked always:true, doesn't request persistent privileges, and does not modify other skills or system-wide settings. It only exposes functions to be invoked by the agent.
Scan Findings in Context
[unicode-control-chars] unexpected: Hidden/unicode control characters were detected in SKILL.md. This is not expected for a dashboard skill and may be an attempt to manipulate or obfuscate content for reviewers or the agent. It could also be an accidental formatting artifact; open the SKILL.md in a hex-aware editor and remove unexpected control characters.
Assessment
This skill appears to do what it says: it runs the local `openclaw status` command, parses results, builds a dashboard and a Feishu card payload. It does not request credentials or make outbound network calls itself (the Feishu payload is constructed but not sent by the included code). Before installing: 1) verify that your OpenClaw environment provides the expected Feishu channel integration (since the skill assumes the platform will perform the push), 2) manually inspect SKILL.md for hidden Unicode/control characters (the scanner flagged this), and 3) run the skill in a non-production environment first to confirm its parsing and outputs behave as you expect. If you need the skill to actually send Feishu messages from the local host, expect to provide channel/token configuration separately and audit any code that would perform HTTP requests.
scripts/collector.js:22
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk978f1x7rqnnkff1rpt9v08kts838j49

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments