Clawpulse Bridge
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: clawpulse-bridge Version: 2.0.4 The bundle provides a status bridge and monitor for OpenClaw, allowing users to track agent status, token usage, and activity via a mobile app. It implements security best practices for its use case, including Bearer token authentication and IP address filtering (restricting access to local and Tailscale networks) within the generated Python servers (openclaw-status-server.py and clawpulse-monitor.py). The scripts are transparent, well-documented in SKILL.md, and align strictly with the stated purpose of providing a secure telemetry bridge.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network user who can reach the monitor port could view assistant status, work state, token-usage counters, timing data, and the monitor's thought/status text without knowing the configured token.
The monitor listens on all interfaces by default and returns internal state before the bearer-token authorization check, so anyone who can reach the port can access that endpoint without the token.
BIND_HOST = os.environ.get("MONITOR_BIND_HOST", "0.0.0.0")
...
if self.path == "/internal":
with state_lock:
self._json(200, dict(state))
return
...
auth = self.headers.get("Authorization", "")
if APP_TOKEN and auth != f"Bearer {APP_TOKEN}":Require bearer-token authentication before serving /internal, remove or disable that endpoint, and default the monitor to 127.0.0.1 or a Tailscale/firewall-restricted interface.
Anyone who obtains the monitor token can access the token-protected /health or /status endpoints.
The skill generates and prints bearer tokens for app setup, which is expected for this integration but means console output, QR images, and logs containing tokens should be treated as sensitive.
MONITOR_TOKEN=$(python3 - <<'PY' import secrets print(secrets.token_urlsafe(32)) PY ) ... echo "Monitor token: $MONITOR_TOKEN"
Keep generated tokens and QR setup images private, rotate tokens if they are shared, and avoid pasting setup output into public places.
The local status service can keep running, keep ports open, and continue serving status until stopped or killed.
Apply mode restarts and launches a background monitor process. This is purpose-aligned and user-directed, but it persists after the setup command exits.
pkill -f clawpulse-monitor.py >/dev/null 2>&1 || true set -a source "$ENV_FILE" export WORKSPACE MONITOR_BIND_HOST MONITOR_PORT BRIDGE_URL BRIDGE_TOKEN="$STATUS_TOKEN" set +a nohup python3 "$MONITOR_PY" >"$LOG_FILE" 2>&1 &
Provide or use a clear stop/uninstall procedure, verify which ports are listening, and run with localhost/Tailscale-only exposure unless remote access is required.