← Back to Skills Marketplace
jonathanjing

openclaw-dashboard

by Jonathan Jing · GitHub ↗ · v1.7.3
cross-platform ⚠ suspicious
4714
Downloads
9
Stars
35
Active Installs
19
Versions
Install in OpenClaw
/install openclaw-dashboard
Description
Real-time operations dashboard for OpenClaw. Monitors sessions, costs, cron jobs, and gateway health. Use when installing the dashboard, starting the server,...
Usage Guidance
Install only if you want a local OpenClaw administrative control plane, not a passive dashboard. Set a strong OPENCLAW_AUTH_TOKEN, keep it bound to localhost unless the tunnel/proxy is tightly controlled, avoid enabling mutating/config/provider-audit/key-loading flags casually, and treat task spawning as sensitive because dashboard credentials can enter agent context and logs.
Capability Analysis
Type: OpenClaw Skill Name: openclaw-dashboard Version: 1.7.3 This OpenClaw skill bundle is classified as benign. The project demonstrates a strong focus on security, explicitly declaring all sensitive capabilities (e.g., file system access, process execution, API key loading) and implementing multiple layers of defense. Key indicators include: 1) All high-risk operations are opt-in via environment variables and restricted to localhost requests in `api-server.js`. 2) Process execution uses `child_process.execFileSync` with array arguments, preventing shell injection. 3) File path operations employ `fs.realpathSync` and strict directory whitelisting to prevent traversal attacks. 4) User-provided content is sanitized with `DOMPurify` and `sanitizeUntrustedText` to mitigate XSS and prompt injection risks, with explicit instructions to the AI agent to treat input as untrusted data. The `SECURITY.md` accurately reflects these robust controls.
Capability Assessment
Purpose & Capability
The artifacts coherently describe an operations/admin dashboard and disclose many sensitive features, including backup/restore, update, restart, provider audit, config viewing, cron/model changes, file access, and task management. The concern is breadth: the SKILL description emphasizes monitoring while the implementation also exposes active task execution and system-changing controls.
Instruction Scope
Task creation/spawn sends a prompt to the OpenClaw agent to execute the task and includes curl commands containing the dashboard bearer token. The prompt marks task fields as untrusted, but still combines user task intent, execution instructions, and a reusable dashboard credential in the agent context.
Install Mechanism
Installation is standard ClawHub/manual CLI with no hidden installer or automatic persistence found. Documentation references env.example, but that file is absent from the supplied artifact, and _meta.json shows an older version than SKILL.md.
Credentials
The server binds to 127.0.0.1 by default, CORS defaults to loopback, and major mutating operations require explicit environment flags plus localhost requests. Risk rises materially if the operator exposes it through a tunnel/proxy, leaves the auth token unset, or enables provider/config/mutating flags.
Persistence & Privilege
With opt-in flags the dashboard can git add/commit/push, git reset --hard to an auto-backup, run npm install -g or brew upgrade, restart OpenClaw, change cron/session models, write selected workspace Markdown files, and persist task attachments. Most of this is disclosed and gated, but it is high-impact administrative authority.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install openclaw-dashboard
  3. After installation, invoke the skill by name or use /openclaw-dashboard
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.7.3
Added simplified installation instructions to SKILL.md and README.md.
v1.7.1
v1.7.1: Expanded SECURITY.md with Threat Model, Capability Escalation Matrix, and defense-in-depth documentation to clarify that admin capabilities are opt-in, localhost-only, and input-sanitized by design
v1.7.0
v1.7.0: Fix all 4 VirusTotal findings — remove hardcoded restart token, switch API auth to Bearer header, remove localStorage token storage, add DOMPurify for markdown XSS prevention
v1.6.0
Security hardening: removed localStorage token storage (XSS mitigation), auth now HttpOnly cookie only; added SECURITY.md documenting auth model, prompt injection mitigations, and mutating ops controls
v1.5.2
Trigger VirusTotal security re-scan; no functional changes
v1.5.1
Fix SKILL.md: bump version to 1.5.1, updated description to reflect current features (watchdog, lang toggle, cost analysis)
v1.5.0
Watchdog redesign (24h uptime bar + incident log), language toggle (EN/中文), confirmDialog replacing native popups, thinkingLevel badge in sessions, fresh README with screenshots
v1.0.9
Risk-surface reduction: localhost bind default, no token-in-query API usage, tighter attachment copy defaults, and integrated /metrics endpoint.
v1.0.8
Add non-dot env.example for ClawHub package visibility.
v1.0.7
Republish to retrigger VirusTotal scan.
v1.0.6
Improve install experience: configurable title, .env.example updates, restructured SKILL.md with user guide
v1.4.0
SECURITY: Restrict CORS to loopback origins (no more wildcard *). New DASHBOARD_CORS_ORIGINS env for explicit allowlist. Document credential exposure risks and network security policy in SKILL.md + SECURITY.md.
v1.3.0
SECURITY: Eliminate all execSync shell injection surface. All child_process calls now use execFileSync with args arrays (no shell). Add symlink escape protection for FILEPATH_COPY. Zero execSync remaining.
v1.0.5
Risk-surface reduction: localhost bind default, no token-in-query API usage, tighter attachment copy defaults, and integrated authenticated metrics endpoint.
v1.0.4
Least-privilege hardening: mutating ops disabled by default, localhost-only enforcement, and stricter attachment copy source controls.
v1.0.3
Security hardening: sanitized untrusted prompts, safer update command execution, optional user-scoped restart, and VirusTotal compliance documentation.
v1.0.2
Metadata refinement: key/config requirements are optional by default.
v1.0.1
Compliance hardening: explicit env declarations and opt-in sensitive behaviors.
v1.0.0
Initial public sanitized dashboard skill release.
Metadata
Slug openclaw-dashboard
Version 1.7.3
License
All-time Installs 35
Active Installs 35
Total Versions 19
Frequently Asked Questions

What is openclaw-dashboard?

Real-time operations dashboard for OpenClaw. Monitors sessions, costs, cron jobs, and gateway health. Use when installing the dashboard, starting the server,... It is an AI Agent Skill for Claude Code / OpenClaw, with 4714 downloads so far.

How do I install openclaw-dashboard?

Run "/install openclaw-dashboard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is openclaw-dashboard free?

Yes, openclaw-dashboard is completely free (open-source). You can download, install and use it at no cost.

Which platforms does openclaw-dashboard support?

openclaw-dashboard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created openclaw-dashboard?

It is built and maintained by Jonathan Jing (@jonathanjing); the current version is v1.7.3.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments