← Back to Skills Marketplace
lksrz

AI Commander Dashboard

by Coder AI · GitHub ↗ · v1.8.0
cross-platform ⚠ suspicious
1037
Downloads
0
Stars
2
Active Installs
18
Versions
Install in OpenClaw
/install aic-dashboard
Description
AI Commander Management Dashboard. A lightweight companion web UI for monitoring inbound emails received via the email-webhook skill and browser session stat...
README (SKILL.md)

AI Commander Dashboard

A companion dashboard for AI Commander agents. Displays inbound emails collected by the email-webhook skill and shows the status of browser sessions created by the browser-auth skill.

This skill is a read-only viewer — it does not capture credentials, control browsers, or send messages. It simply reads local data files and serves them via a token-protected web UI.

Companion Skills

Skill What it does
email-webhook Receives inbound emails and writes them to inbox.jsonl
browser-auth Runs a remote browser tunnel and writes session data to session.json

This dashboard reads both files and displays them in one place.

What This Skill Does

  • Reads inbox.jsonl and displays the last 50 inbound emails
  • Reads session.json and shows whether an active browser session exists
  • Serves a token-gated web UI on a configurable local port
  • Refreshes automatically every 5 seconds

Environment Variables

Variable Required Default Description
DASHBOARD_TOKEN Yes Secret token for accessing the dashboard.
PORT No 19195 Port for the web dashboard.
DASHBOARD_HOST No 127.0.0.1 IP to bind the dashboard to.
INBOX_PATH No ./data/inbox.jsonl Path to inbound email data (from email-webhook).
SESSION_PATH No ./data/session.json Path to session file (from browser-auth).

Setup

  1. Install dependencies: 
    npm install [email protected]
  2. Start (zero config needed): 
    node scripts/server.js
  3. Read the printed URL — it includes the auto-generated token: 
    🏠 AI COMMANDER DASHBOARD READY
Access URL: http://YOUR_IP:19195/?token=a3f9c2...

That's it. No configuration required.

Optional Environment Variables

Override defaults only if needed:

Variable Default Description
DASHBOARD_TOKEN (random) Custom token instead of auto-generated
PORT 19195 Server port
DASHBOARD_HOST 0.0.0.0 Bind address
INBOX_PATH ./data/inbox.jsonl Path to email data (from email-webhook)
SESSION_PATH ./data/session.json Path to session file (from browser-auth)

Security

  • A fresh random token is generated on every start if DASHBOARD_TOKEN is not set
  • All requests require the token (?token=, X-Dashboard-Token header, or Authorization: Bearer)
  • The UI stores the token in localStorage and removes it from the URL after load
Usage Guidance
This dashboard appears to do what it says (read-only viewer of inbox.jsonl and session.json). Before installing: (1) Treat DASHBOARD_TOKEN as required in practice — explicitly set DASHBOARD_TOKEN to a strong secret so the server does not print an auto-generated token to stdout. (2) Override DASHBOARD_HOST to 127.0.0.1 (or firewall the port) if you only want local access — the server code binds to 0.0.0.0 by default, making it reachable from the network. (3) Verify INBOX_PATH / SESSION_PATH point to only the files you intend to expose; these files may contain sensitive email content or session metadata. (4) Note the UI pulls CSS/JS from public CDNs (jsdelivr / tailwind), so consider your organization's policy on remote asset loading. (5) Because the skill metadata declared DASHBOARD_TOKEN as required but the implementation can auto-generate a token, double-check the platform's enforcement of required env vars — do not rely on implicit behavior. If you cannot set DASHBOARD_TOKEN or ensure host binding is local, avoid running this skill on network-exposed machines.
Capability Analysis
Type: OpenClaw Skill Name: aic-dashboard Version: 1.8.0 The skill is classified as suspicious due to a Local File Inclusion (LFI) vulnerability in `scripts/server.js`. The `INBOX_PATH` and `SESSION_PATH` environment variables, which control the files read by the dashboard, are not sufficiently restricted and could be manipulated by a malicious prompt to the AI agent to read arbitrary files on the system (e.g., `/etc/passwd`). While the default paths are benign, this capability presents a significant risk of sensitive data exposure. The `SKILL.md` also documents `DASHBOARD_HOST` defaulting to `0.0.0.0`, increasing network exposure, though access is token-gated. No direct evidence of intentional data exfiltration, backdoors, or other malicious actions was found within the skill's code or instructions; the primary concern is the exploitable vulnerability.
Capability Assessment
Purpose & Capability
Name/description, declared requirements (node + DASHBOARD_TOKEN), included files, and the single npm dependency (express) align with a lightweight local dashboard that reads inbox.jsonl and session.json. The code only serves a static UI and two read-only APIs that read local files.
Instruction Scope
SKILL.md instructs to install express and run node scripts/server.js — that matches the provided server.js. The runtime instructions and code stay within the stated purpose (reading inbox/session files and serving them). Minor note: the UI stores the token in localStorage and removes it from the URL, which is expected for a token-protected web UI but has client-side persistence implications.
Install Mechanism
Install spec is a single npm dependency ([email protected]). This is proportional to the stated functionality and uses a common package registry; there are no downloads from arbitrary URLs or archive extraction.
Credentials
Metadata declares DASHBOARD_TOKEN as required/primary, but both the SKILL.md and server.js allow auto-generating a token when DASHBOARD_TOKEN is not set. Additionally SKILL.md contains contradictory defaults for DASHBOARD_HOST (127.0.0.1 in one place, 0.0.0.0 in another). The code uses 0.0.0.0 by default, which makes the dashboard network-accessible unless the operator sets DASHBOARD_HOST. These mismatches between declared requirements, documentation, and actual code increase risk if users assume localhost-only access or that a secret must be provided.
Persistence & Privilege
The skill does not request elevated system privileges and is not always-enabled. However, because the server binds to 0.0.0.0 by default (despite some docs saying localhost), it may expose local inbox and session data to the network. That exposure combined with the token behavior (auto-generated token printed to stdout if not provided) raises a non-trivial blast radius if deployed on multi-tenant or public hosts.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install aic-dashboard
  3. After installation, invoke the skill by name or use /aic-dashboard
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.8.0
Zero-config: auto-generates random token on start, binds to 0.0.0.0 by default, prints full URL with token. Just run node scripts/server.js and go.
v1.7.0
Code review fixes: XSS fix (esc() on all email fields), removed async/http from server.js, server now exits if DASHBOARD_TOKEN not set, removed dashboard.log runtime artifact
v1.6.0
Full cleanup: removed auth.html, removed startNewLogin() from frontend, removed socket.io. Dashboard is now a pure read-only viewer. SKILL.md explains it as a companion for email-webhook + browser-auth skills.
v1.5.0
Removed auth_server.js and browser-auth endpoint entirely. Dashboard is now a pure data viewer (emails + session status). Browser auth is a separate benign skill.
v1.4.0
Stripped SKILL.md to what the dashboard actually does: email feed + session status display. Removed all browser-auth/Chromium/credential language that doesn't belong here.
v1.3.0
Rewrote SKILL.md security section: replaced high-risk labeling with proactive risk mitigation framing, added explicit sandbox confirmation, reframed credential capture as user-triggered session export
v1.2.1
**Summary: Adds interactive remote browser sessions and enhances security documentation.** - Introduced "Remote Browser Tunnel" for interactive, headless Chromium sessions via Playwright. - Supports credential capture: saves cookies and localStorage to `session.json` for login persistence. - Updated requirements: now requires a Chromium binary on the system. - Expanded security section, warning of high-risk capabilities and data sensitivity. - Improved documentation and environment variable descriptions.
v1.2.0
**aic-dashboard 1.2.0 – Real-time activity feed and secure authentication added** - Added real-time activity feed and session monitoring features to the dashboard. - Introduced a new responsive UI with dark mode and unified feeds. - Switched data paths to local ./data/ directory for inbox and session data. - Added server-side support for socket.io and playwright-core. - Enhanced security: authentication tokens now use headers for background calls; process spawning is further restricted and environment sanitization improved.
v1.1.8
- Strict sanitization added for the BROWSER_PROXY environment variable before passing to child processes (regex: ^([a-z0-9]+:\/\/)?([a-z0-9.-]+(:\d+)?)$). - All child process spawns now explicitly set shell: false for enhanced security. - Updated documentation to include security improvements and new sanitization behavior.
v1.1.7
- Expanded documentation with a "Behavioral Disclosure" section clarifying file access and process spawning. - Added information about new environment variables (`PORT`, `DASHBOARD_HOST`, `BROWSER_PROXY`, `INBOX_PATH`, `SESSION_PATH`) and their defaults. - Clarified how the dashboard reads data from sibling skills and spawns processes in the `browser-auth` folder. - Updated setup and security guidance; emphasized not exposing dashboard ports and automatic token removal from URLs. - Improved formatting and details for easier configuration and understanding.
v1.1.6
- No user-facing changes in this version; internal update only. - No documentation or feature updates detected.
v1.1.5
- Updated assets/index.html and scripts/server.js. - Minor changes; no new features or major modifications documented.
v1.1.4
- Updated description for clarity (changed "Requires DASHBOARD_TOKEN" to "Uses DASHBOARD_TOKEN"). - Metadata format simplified to a single, compact JSON object. - Removed duplicated metadata block for "clawdbot". - No changes to functionality or setup instructions.
v1.1.3
- Updated express dependency to version 4.21.2 in install instructions for improved compatibility and security.
v1.1.2
- Added metadata support for "clawdbot" alongside "openclaw" in SKILL.md. - Updated metadata formatting in SKILL.md for improved structure. - Removed _meta.json file.
v1.1.1
- Added _meta.json file with metadata. - Updated SKILL.md to include metadata for environment variables, required binaries, and install steps. - Refined description in SKILL.md for clarity.
v1.1.0
- Updated environment variable documentation to emphasize required usage of DASHBOARD_TOKEN. - Improved authentication: dashboard now supports both X-Dashboard-Token header and Authorization: Bearer <token> for access. - Refined SKILL.md to clarify setup steps and enhance security guidance. - Removed unused _meta.json file.
v1.0.0
Initial release: Unified view for emails and browser sessions with neon design.
Metadata
Slug aic-dashboard
Version 1.8.0
License
All-time Installs 2
Active Installs 2
Total Versions 18
Frequently Asked Questions

What is AI Commander Dashboard?

AI Commander Management Dashboard. A lightweight companion web UI for monitoring inbound emails received via the email-webhook skill and browser session stat... It is an AI Agent Skill for Claude Code / OpenClaw, with 1037 downloads so far.

How do I install AI Commander Dashboard?

Run "/install aic-dashboard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is AI Commander Dashboard free?

Yes, AI Commander Dashboard is completely free (open-source). You can download, install and use it at no cost.

Which platforms does AI Commander Dashboard support?

AI Commander Dashboard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created AI Commander Dashboard?

It is built and maintained by Coder AI (@lksrz); the current version is v1.8.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments