ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Usage Dashboard

v2.0.2

Interactive local dashboard for OpenClaw API usage. Shows token consumption, request counts, and system health across all configured LLM models — broken down...

0· 336·1 current·1 all-time
by@vanhuelsing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim a local dashboard that reads OpenClaw session logs; the package includes server.js and dashboard.html that read ~/.openclaw/agents/*/sessions/*.jsonl and compute aggregates (tokens, request counts, system health). No unrelated credentials or services are requested.
Instruction Scope
SKILL.md instructs running node server.js and opening localhost. server.js reads only local session log files and exposes aggregated metrics; it does not embed instructions to read unrelated system state or exfiltrate data. The server does run a small set of fixed system commands (vm_stat, df, powershell, openclaw version, and platform openers) for system-health fields, which matches the 'system health' feature described.
Install Mechanism
No install spec is provided (instruction-only install), and the README/SKILL.md explicitly tell the user to run node server.js. No third-party packages or remote downloads are required. Code is included in the skill bundle so nothing needs to be fetched from external URLs at install time.
Credentials
The skill requests no environment variables or credentials. The server contains explicit sanitization patterns and an audit claiming it redacts secrets and does not return raw message content. The few operations that could surface sensitive text (parsing toolResult text) are used only to extract numeric rate-limit headers, not to expose raw responses.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and binds to localhost by default. It opens a local HTTP server and may auto-open the user's browser; it does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says: run a local Node server that reads ~/.openclaw/agents/*/sessions/*.jsonl and shows usage metrics on http://localhost:PORT. Before installing/running: (1) Inspect server.js yourself (it is bundled) to verify you are comfortable with the file I/O and the fixed system commands it runs; (2) Run it unprivileged (your normal user), not as root/admin; (3) Confirm the server binds only to localhost (SKILL.md and code default to 127.0.0.1) or explicitly pass --host 127.0.0.1; (4) If you are concerned about secrets in logs, either review a few session files manually or run the server in a sandbox to confirm no raw secrets are exposed; (5) Because the server uses execSync for system health commands, make sure your platform's commands are safe and that the machine is otherwise secure. If you need additional assurance, you can run node server.js in an isolated environment and monitor outbound network activity to confirm nothing leaves your machine.
server.js:398
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9749zt9251zc4pm6xh0p2ty6183pv5e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments