ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agency HQ

A pixel art office visualization for your AI agent team. Shows real-time agent status, activity feeds, and personality-driven banter. Works with OpenClaw in...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 23 · 0 current installs · 0 all-time installs
by@spockthegreatbot
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (pixel-art dashboard for agent teams) matches the code: the app renders a pixel office and provides activity/status/stats endpoints. The code legitimately reads OpenClaw session files and system stats to populate the UI, which is expected for a live-monitoring dashboard. Note: surfacing session 'user' messages and tool calls is part of the feature (activity feed) but is sensitive data.
!
Instruction Scope
SKILL.md and code explicitly instruct reading ~/.openclaw/agents/{id}/sessions/*.jsonl and cron runs, parsing their JSONL contents, and including user messages in the activity feed; they also read /proc/loadavg and run shell commands (free, df, uptime, ps). That scope is coherent for local live mode, but it means private conversation content and system info will be served by the app's API routes. The README/SKILL.md suggests deploying to Vercel for demo mode — if live mode is enabled (or OPENCLAW_HOME present) on a hosted/public instance this could leak sensitive session data to visitors.
Install Mechanism
No remote download/install spec in the skill registry (instruction-only install). The repository contains normal Node/Next.js source and package.json; nothing is being pulled from unusual or opaque URLs by the skill metadata. Risk mostly comes from running the app, not from how it installs.
Credentials
Registry metadata lists no required env vars, but the app code and README rely on HOME and OPENCLAW_HOME to locate session files. Those env vars are reasonable for a local tool, but the skill requests no credential secrets. There's no external API key or unrelated credential requested. Still: environment values (HOME/OPENCLAW_HOME) are used to access local files, which is central to the feature.
Persistence & Privilege
The skill is not force-included (always:false) and does not claim to change other skills or system configuration. It runs server-side endpoints and uses child_process.execSync for a few read-only commands (uptime, free, df, ps) — normal for a local status dashboard. No persistent system-wide modifications are present.
What to consider before installing
This project is a legitimate dashboard but it will read and serve local OpenClaw session files (user messages, tool calls) and basic system metrics. Before running or deploying: - Treat live mode as sensitive: only run ARENA_MODE=live on a machine you control and that is not publicly accessible. If you deploy to a public host (e.g., Vercel) keep ARENA_MODE=demo. - Inspect ~/.openclaw/agents/*/sessions/*.jsonl to understand what data will be displayed; these files can contain user content you may not want exposed. - If you must expose the app publicly, add access controls (auth) or remove/obfuscate the activity endpoints. - Note the code runs shell commands (ps, free, df, uptime). These are read-only but execSync is used — avoid inserting untrusted agent IDs into AGENTS (agent.id ends up interpolated into a shell pipeline in isAgentRunning), and prefer simple ASCII alphanumeric ids to avoid accidental shell interpretation. - If you want to run locally but minimize data shown, run in demo mode, or modify the extract logic to redact or omit user messages. Given the potential to surface private session content, proceed with caution — the code appears honest about what it does, but its live mode can leak sensitive data if misconfigured.
src/app/api/agents/stats/route.ts:10
Shell command execution detected (child_process).
src/app/api/agents/status/route.ts:69
Shell command execution detected (child_process).
src/app/api/agents/activity/route.ts:24
Environment variable access combined with network send.
src/app/api/agents/stats/route.ts:48
Environment variable access combined with network send.
src/app/api/agents/status/route.ts:97
Environment variable access combined with network send.
!
src/app/api/agents/activity/route.ts:43
File read combined with network send (possible exfiltration).
!
src/app/api/agents/status/route.ts:43
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97bcctn3vxvjeycpx9ztjs015831ym9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Agency HQ — AI Agent Office

A real-time pixel art visualization of your AI agent team. Agents move between rooms (office, kitchen, game room, server room) based on their actual status. Includes a live activity feed, agent spotlight cards, and personality-driven chat.

When to Use

  • You want a visual dashboard showing what your agents are doing
  • You want to showcase your agent team to others (demo mode)
  • You want a fun, always-on display of your OpenClaw setup

Setup

1. Clone and Install

git clone https://github.com/enjinstudio/agency-hq.git
cd agency-hq
npm install

2. Configure Mode

Copy .env.example to .env.local:

cp .env.example .env.local

Set ARENA_MODE=live to connect to your OpenClaw instance, or leave as demo for simulated data.

3. Customize Your Agents

Edit src/lib/agents.ts. Each agent needs:

FieldDescription
idMust match your OpenClaw agent ID (e.g., main, dev, research)
nameDisplay name
emojiAvatar emoji
roleRole label shown in spotlight
modelModel name shown in spotlight
colorHex color for theme and pixel art
deskDesk position: command, dev, trading, research, design, security, content, strategy, engineering, pm, finance
accessoryPixel art accessory: glasses, hat, badge, headphones, scarf, cap, bowtie, visor, antenna, crown, monocle

4. Customize Chat Lines (Optional)

Edit src/lib/agent-chat.ts to write personality-driven banter. Each agent has:

  • general — random lines said to the room
  • to{AgentName} — directed lines at specific agents (30% chance)

5. Run

# Development
npm run dev

# Production
npm run build && npm start

6. Deploy to Vercel (Optional)

Push to GitHub and import in Vercel. Demo mode activates automatically on Vercel.

How Live Mode Works

In live mode, the app reads from your OpenClaw directory:

  • Agent status — scans ~/.openclaw/agents/{id}/sessions/*.jsonl for recent activity
  • Activity feed — extracts user messages and tool calls from session files
  • System stats — reads /proc/loadavg, runs free -m and df
  • Room assignment — active agents → office, idle → kitchen/game room, offline → rest room

No database. No external APIs. Just reads files from disk.

Requirements

  • Node.js 20+
  • OpenClaw (for live mode only)
  • npm

Notes

  • The chat system generates fun flavor text — it's not real agent communication
  • Demo mode works everywhere, including Vercel, with zero configuration
  • The pixel art renderer uses Canvas2D — no WebGL required, works in all browsers
  • Mobile responsive — stacks vertically on small screens

Files

26 total
Select a file
Select a file to preview.

Comments

Loading comments…