Skillv1.0.0

ClawScan security

Agency HQ · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 16, 2026, 5:49 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill is largely what it says (a dashboard) but it reads local OpenClaw session files and system stats and will surface user messages and system info — this is coherent with the UI goal but raises privacy/exposure risks if run on a public host or with live mode enabled unintentionally.
Guidance: This project is a legitimate dashboard but it will read and serve local OpenClaw session files (user messages, tool calls) and basic system metrics. Before running or deploying: - Treat live mode as sensitive: only run ARENA_MODE=live on a machine you control and that is not publicly accessible. If you deploy to a public host (e.g., Vercel) keep ARENA_MODE=demo. - Inspect ~/.openclaw/agents/*/sessions/*.jsonl to understand what data will be displayed; these files can contain user content you may not want exposed. - If you must expose the app publicly, add access controls (auth) or remove/obfuscate the activity endpoints. - Note the code runs shell commands (ps, free, df, uptime). These are read-only but execSync is used — avoid inserting untrusted agent IDs into AGENTS (agent.id ends up interpolated into a shell pipeline in isAgentRunning), and prefer simple ASCII alphanumeric ids to avoid accidental shell interpretation. - If you want to run locally but minimize data shown, run in demo mode, or modify the extract logic to redact or omit user messages. Given the potential to surface private session content, proceed with caution — the code appears honest about what it does, but its live mode can leak sensitive data if misconfigured.

Review Dimensions

Purpose & Capability: noteThe name/description (pixel-art dashboard for agent teams) matches the code: the app renders a pixel office and provides activity/status/stats endpoints. The code legitimately reads OpenClaw session files and system stats to populate the UI, which is expected for a live-monitoring dashboard. Note: surfacing session 'user' messages and tool calls is part of the feature (activity feed) but is sensitive data.
Instruction Scope: concernSKILL.md and code explicitly instruct reading ~/.openclaw/agents/{id}/sessions/*.jsonl and cron runs, parsing their JSONL contents, and including user messages in the activity feed; they also read /proc/loadavg and run shell commands (free, df, uptime, ps). That scope is coherent for local live mode, but it means private conversation content and system info will be served by the app's API routes. The README/SKILL.md suggests deploying to Vercel for demo mode — if live mode is enabled (or OPENCLAW_HOME present) on a hosted/public instance this could leak sensitive session data to visitors.
Install Mechanism: okNo remote download/install spec in the skill registry (instruction-only install). The repository contains normal Node/Next.js source and package.json; nothing is being pulled from unusual or opaque URLs by the skill metadata. Risk mostly comes from running the app, not from how it installs.
Credentials: noteRegistry metadata lists no required env vars, but the app code and README rely on HOME and OPENCLAW_HOME to locate session files. Those env vars are reasonable for a local tool, but the skill requests no credential secrets. There's no external API key or unrelated credential requested. Still: environment values (HOME/OPENCLAW_HOME) are used to access local files, which is central to the feature.
Persistence & Privilege: okThe skill is not force-included (always:false) and does not claim to change other skills or system configuration. It runs server-side endpoints and uses child_process.execSync for a few read-only commands (uptime, free, df, ps) — normal for a local status dashboard. No persistent system-wide modifications are present.