Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
One-Click Task Dashboard
v1.0.0一键生成并常驻刷新任务数据大屏(index.html + data.json + 本地服务)。适合 OpenClaw + launchctl 自动化任务可视化与巡检。
⭐ 0· 347·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Most files and scripts match the stated purpose: build_dashboard.py aggregates OpenClaw cron and launchctl jobs and setup_dashboard.sh installs two LaunchAgents (refresh and local HTTP server). However, additional scripts to publish the skill to ClawHub (publish_to_clawhub.sh and publish_retry.sh / setup_publisher_retry.sh) are outside the core runtime need for a local dashboard and represent monetization/automation functionality that users may not expect. Also build_dashboard.py contains hardcoded developer paths (/Users/dong/...) that are not general-purpose and are inconsistent with a generic dashboard.
Instruction Scope
The SKILL.md instructs users to run setup_dashboard.sh which will create persistent LaunchAgents and start a local http.server bound to 127.0.0.1 (expected). However build_dashboard.py reads many local files (OpenClaw cron output, Library/LaunchAgents plists, and several specific logs under ~/.openclaw and a hardcoded /Users/dong/... path). Those file reads can surface local, possibly sensitive, data into the generated data.json served over localhost. The publish-related scripts will call npx clawhub whoami/publish and the optional retry agent will repeatedly try to publish — these go beyond dashboard creation and will use the user's existing clawhub auth if present.
Install Mechanism
There is no remote download/install step; this is an instruction-only skill with bundled scripts. No external archives or unusual installers are invoked by the package itself. The scripts call system tools (python3, launchctl, npx) which are standard.
Credentials
The skill declares no required env vars, but runtime behavior will use system state and any existing CLI auth (npx + clawhub) if the user runs publishing scripts. The publish/retry scripts will attempt to use the user's ClawHub CLI credentials (via npx clawhub), which is not declared explicitly and could result in automatic publish actions using the user's account. build_dashboard.py reads specific local filesystem paths (including a hardcoded /Users/dong path) that are unrelated to the advertised generic dashboard and could leak local content into the dashboard.
Persistence & Privilege
The setup scripts write LaunchAgents to ~/Library/LaunchAgents and bootstrap them, creating persistent background jobs (refresh every 5 minutes and an always-on local HTTP server). This is coherent with the stated goal of a resident dashboard, but the optional publisher-retry LaunchAgent would create a persistent periodic process that attempts to publish the skill (every 30 minutes) — a non-obvious persistent action that may have side effects if left enabled.
What to consider before installing
This skill will create persistent launchd jobs (one to refresh the dashboard and one to run a local web server) and may read many files under your home directory to populate the dashboard. Before running it: 1) Inspect scripts in scripts/*.sh and build_dashboard.py yourself (notably build_dashboard.py contains hardcoded paths like /Users/dong/..., which may read unexpected files). 2) If you only want the dashboard, avoid running publish_to_clawhub.sh and do not run setup_publisher_retry.sh (those will call npx clawhub and may use your ClawHub auth to publish). 3) Consider running setup_dashboard.sh in a disposable account or VM first to see what data is collected and served. 4) If you proceed, check ~/Library/LaunchAgents for the created .plist files and remove/unload them with launchctl bootstrap/bootout if you want to uninstall. 5) If you have ClawHub credentials, do not run the publish/retry scripts unless you intend to publish — they will attempt automated publishing and retries using your CLI auth.Like a lobster shell, security has layers — review code before you run it.
latestvk97bprbc7vwtezzp881mhtc06s824rda
License
MIT-0
Free to use, modify, and redistribute. No attribution required.