OpenClaw Dashboard Connector - ClawHQ
PassAudited by ClawScan on May 10, 2026.
Overview
This is a straightforward monitoring connector that sends agent status and task summaries to ClawHQ, with the main considerations being the outbound telemetry and API key handling.
This skill appears coherent and purpose-aligned for dashboard monitoring. Before installing, make sure you trust ClawHQ with agent status and task summaries, keep the CLAWHQ_API_KEY private, and be aware that registry metadata does not fully declare the credential requirement even though the docs do.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill may cause the agent to send status updates to ClawHQ at session start, session end, and heartbeat.
The skill instructs the agent to make outbound HTTP POST requests during lifecycle events. This is the core dashboard-reporting behavior and is limited to the disclosed ClawHQ endpoint.
Invoke-RestMethod -Uri "https://app.clawhq.co/api/agents/report" -Method Post ... curl -s -X POST "https://app.clawhq.co/api/agents/report"
Install only if you want this telemetry, and verify that app.clawhq.co is the intended dashboard endpoint.
Anyone who obtains this API key may be able to report or modify agent status information in the associated ClawHQ dashboard.
The skill requires a ClawHQ API key and uses it as a bearer token for the provider API. This is expected for the integration and is openly documented.
Environment variable must be set: - `CLAWHQ_API_KEY` ... "Authorization" = "Bearer $env:CLAWHQ_API_KEY"
Store the API key only in trusted environments, avoid sharing logs that include it, and rotate the key if it may have been exposed.
Task descriptions and timestamps may reveal what the agent is working on, including project or client context if summaries contain sensitive details.
The skill discloses that it sends agent identity, status, task descriptions, and timestamps to an external dashboard provider.
What Gets Reported\n\n- Agent name & status (active, idle, error, offline)\n- Current task description\n- Heartbeat timestamps
Use non-sensitive task summaries and review ClawHQ’s privacy, retention, and access controls before enabling the connector.
The platform may not automatically prompt for or highlight the credential requirement even though the skill needs a ClawHQ API key.
The registry metadata does not fully match the included package metadata: the package declares an API key requirement and a different version than the registry. The requirement is still disclosed in the docs, so this is a metadata/provenance note rather than hidden behavior.
metadata: Required env vars: none; Primary credential: none; package.json: "version": "1.2.0", "requiredEnv": ["CLAWHQ_API_KEY"]
Confirm the publisher/source and configure CLAWHQ_API_KEY intentionally before using the skill.