ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

InfoDashboard

v1.0.0

Guided SOP for setting up and using InfoDashboard from OpenClaw. Use when the user wants to clone the InfoDashboard repo, configure database and LLM keys, st...

1· 46·0 current·0 all-time
by@zyxapple98
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (guided setup and use of InfoDashboard) matches the instructions: cloning a GitHub repo, configuring .env.local with LLM and DB info, installing Python deps, and running the server. No unrelated env vars, binaries, or installs are requested by the skill itself.
Instruction Scope
SKILL.md and referenced docs limit actions to repository checkout detection/cloning, editing .env.local (user-driven), dependency install, running the server, and submitting generation requests to the local service. The skill explicitly forbids requesting secrets in chat and requires confirmation before state changes. It does read optional local config (~/.openclaw/openclaw.json) and filesystem state (repo path, repo cleanliness), which is expected for a setup SOP.
Install Mechanism
This is an instruction-only skill with no install spec and no code files executed by the platform. All commands run are local shell commands the user is to confirm — lowest install risk from the skill bundle itself.
Credentials
The skill does not request credentials in chat, but it directs the user to create/modify .env.local containing LLM provider keys and SQL Server credentials (including SOCKS5 proxy settings). These secrets are necessary for the described InfoDashboard functionality, but they grant access to internal databases and LLM providers so the user must supply them locally and verify trust in the third-party repo.
Persistence & Privilege
always is false and the skill is user-invocable; it may read an optional ~/.openclaw/openclaw.json for defaults but does not request permanent platform privileges or modify other skills' configs. The ability to run autonomously (model invocation allowed) is the platform default and not a special privilege here.
Assessment
This skill is internally consistent with its stated purpose, but before using it: 1) Inspect the InfoDashboard repository (https://github.com/AInsteinAsia/InfoDashboard) yourself before running any code; 2) Do not paste API keys or DB passwords into chat — the skill explicitly forbids that and asks you to edit .env.local locally; 3) Be aware running the server will attempt to start an frp SOCKS5 tunnel (tools/frpc*), which can connect to remote infrastructure once you provide frpc config — verify those binaries and the frpc config (tools/frpc-visitor.ini) before running; 4) Confirm Docker, Python, and other prerequisites are present and that you trust the external LLM provider you configure; and 5) If you want higher assurance, review main.py and any networking code in the repo to confirm it doesn't exfiltrate data beyond the intended LLM/database calls.

Like a lobster shell, security has layers — review code before you run it.

latestvk970v3078pzb25sah3gd60evf183x6pn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏭 Clawdis

Comments