Agent Dashboard
ReviewAudited by ClawScan on May 10, 2026.
Overview
The dashboard is purpose-aligned, but its web tiers can expose and publicly modify operational status data despite local-only and PIN-protection claims.
Tier 1 appears safest because it stays inside OpenClaw. For Tier 2 or Tier 3, assume dashboard data may be public, avoid sensitive task names or URLs, do not rely on a client-side PIN, and tighten Supabase/GitHub access controls before enabling the recurring updater.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe the dashboard data remains private when operational status, product URLs, task names, or action items may be publicly accessible.
The skill claims local-only and PIN-protected data, while the recommended GitHub Pages tier uses a public repository and publishes dashboard JSON data.
All data stays on your machine. PIN-protected... gh repo create mission-control --public --clone ... Copy assets/templates/dashboard-data.json to data/
Do not rely on the client-side PIN as the only protection. Use private hosting or avoid putting sensitive operational details in the dashboard.
Anyone who obtains the public Supabase URL and anon key can read or overwrite the dashboard state, potentially falsifying status or action items.
The Supabase setup grants anonymous public read, update, and insert permissions on the dashboard_state table.
CREATE POLICY "Allow public read" ... USING (true); ... CREATE POLICY "Allow public update" ... USING (true) WITH CHECK (true); ... CREATE POLICY "Allow public insert"
Restrict Supabase policies to authenticated users or a server-side update endpoint, and avoid granting anonymous write access unless the data is truly public and tamper-tolerant.
False or attacker-supplied dashboard data could mislead the user about active tasks, cron failures, product status, or urgent action items.
The dashboard stores persistent operational state in a shared table and explicitly allows anonymous updates, so the displayed state can be exposed or poisoned.
data JSONB NOT NULL DEFAULT '{}'; ... The anon key can read and update ONLY this one table ... Worst case: someone overwrites your dashboard statusTreat dashboard content as public and untrusted unless access controls are tightened; validate or authenticate writers before using the dashboard for decisions.
After setup, the updater may continue sharing operational status on a schedule without further prompts.
The skill asks the user to create a recurring background updater that collects agent status and pushes it to the configured dashboard destination.
Create a cron job called "Dashboard Update" that runs every 30 minutes... Run `cron list`... Run `sessions_list`... Push to Supabase (or git push for Tier 2)
Enable the cron only if you want ongoing updates, document where it sends data, and disable it when the dashboard is no longer needed.