Live Sessions Dashboard

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local OpenClaw sessions dashboard, but its documented environment-variable safety control for disabling sensitive log access is not implemented in the CLI script.

Install only if you are comfortable with a local dashboard reading OpenClaw session metadata. To avoid log access, use the explicit --no-subscribe flag; do not rely on AGENT_MONITOR_NO_SUBSCRIBE because this version does not implement it. Review the generated HTML before sharing it, since it can include session identifiers, models, token totals, costs, and timing information.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill documentation describes running local shell commands (`openclaw sessions`, optional `openclaw logs`), writing HTML output to disk, and using environment variables to alter behavior, but it does not declare corresponding permissions. This creates a permission-transparency gap: users and platforms may underestimate that the skill can access sensitive session/log data and persist derived output, increasing the chance of unintended exposure of prompts, secrets, or PII.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal