Bot Status API

This skill is coherent for local monitoring, but it reads local OpenClaw files and runs shell commands you configure — so review and harden before use. Key things to consider before installing: - Inspect config.json: service checks of type "command" and email accounts execute whatever commands you put there; treat these as powerful and only use trusted commands. - Least privilege: run the service under a dedicated low-privilege user so it cannot read unrelated sensitive files. Do not run as root. - Sensitive files access: the collectors read files under your OpenClaw home/workspace (heartbeat-state.json, cron/jobs.json, auth-profiles.json). Ensure you’re comfortable exposing those contents via the /status endpoint locally or to any network. - Public exposure: /status returns system metrics, skill lists, cron job metadata and service summary. Avoid binding to a public network or put it behind authentication/reverse proxy if you must expose it externally. - Command injection / unsanitized exec: services.checkFileExists uses exec(`ls ${svc.path}`) and other code runs user-supplied commands and `which` on discovered bin names. Make sure service paths and skill directories are trusted and not writable by untrusted users. - TLS behavior: the server forces NODE_TLS_REJECT_UNAUTHORIZED=0 to allow self-signed Portainer connections; this disables TLS validation globally. Prefer configuring Portainer with proper certs or carefully restrict network access if you keep this behavior. If you want a safer deployment: run on localhost only, restrict via firewall, remove/replace the global TLS-disable line, and avoid adding untrusted skillDirs or service commands to config.json.