← Back to Skills Marketplace
ra1nzzz

status-web

by Yitao&Agents · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
1772
Downloads
1
Stars
16
Active Installs
1
Versions
Install in OpenClaw
/install status-web
Description
小雨 bot 状态监测页面技能包。提供实时监控 OpenClaw Agent 工作状态、定时任务和系统健康状况的 Web 界面。包含静态缓存机制确保快速加载,美化 UI 界面,以及独立部署能力。使用场景:需要监控 AI Agent 运行状态、查看最近工作记录、管理定时任务、检查系统健康状况。
Usage Guidance
Key things to consider before installing: 1) The package's files contain hardcoded paths (/home/admin/openclaw/workspace), expect an 'openclaw' CLI, and will exec shell commands — it needs privileges to read agent memory and run the agent CLI. 2) Several inconsistencies exist: the SKILL.md/start instructions reference different script names/paths than provided (start.sh vs start-server.sh; server.js location), and the module get-scheduled-tasks-simple is required by server.js but not included — the package appears incomplete or mispackaged. 3) The POST /api/chat endpoint can forward messages to the OpenClaw agent using a hardcoded mainSessionId after a simple magic-string check; there is no real authentication. If you expose this server to a network, an attacker who discovers the endpoint or magic phrase could interact with the agent. 4) Recommended actions: run this only in an isolated environment (container or VM), do not bind to 0.0.0.0 on public interfaces, require/implement proper authentication for /api/chat, review and fix path/script mismatches (ensure start script points to the correct server.js and included modules exist), remove or harden any ability to exec the OpenClaw CLI from web-exposed endpoints, and audit the memory files the code will read to confirm no sensitive data is exposed. If you cannot verify or fix these issues, treat the package as untrusted and do not run it on production agents.
Capability Analysis
Type: OpenClaw Skill Name: status-web Version: 1.0.0 The `server.js` file uses `child_process.execSync` to execute `openclaw agent` commands with user-provided input from the `/api/chat` endpoint. While there is an attempt to sanitize the user's `message` (`message.replace(/"/g, '\"').replace(/\$/g, '\$')`), this sanitization is insufficient to prevent all potential shell injection vulnerabilities, posing a risk of Remote Code Execution (RCE). Additionally, this 'hidden chat' feature explicitly allows users to perform prompt injection against the AI agent. Although there is no clear evidence of intentional malicious behavior like data exfiltration or backdoors, the presence of a shell injection vulnerability and direct prompt injection vector makes this skill bundle suspicious.
Capability Assessment
Purpose & Capability
The description is a simple status/monitoring web UI, which would reasonably read local status and maybe call OpenClaw APIs. However the shipped code expects to execute the OpenClaw CLI (execSync('openclaw ...')), read files under /home/admin/openclaw/workspace/memory, and relies on additional modules (get-scheduled-tasks-simple) that are referenced but not present. The skill declares no required binaries or env vars despite depending on the openclaw CLI and a specific filesystem layout—this mismatch is incoherent.
Instruction Scope
Runtime instructions and scripts attempt to read agent memory files, call a local OpenClaw HTTP endpoint (update-cache.sh calls http://localhost:18789/api/status), and execute OpenClaw CLI commands. The POST /api/chat endpoint, when given a special activation phrase (or unlocked=true), runs `openclaw agent --session-id <hardcoded-id> --message ...` via shell exec and returns the result. That effectively provides a remote-to-agent relay with only a magic-string check (no proper auth). SKILL.md startup instructions reference start.sh and server.js at top-level, but the repository uses different filenames/paths, creating further mismatch.
Install Mechanism
There is no external install/download step (instruction-only install spec), so no remote code is fetched during install. The risk here comes from the included files themselves (they will run on the host), but there are no URLs/archives to flag.
Credentials
The skill requests no environment variables or credentials, yet the code accesses sensitive local paths (/home/admin/openclaw/workspace and its memory files), expects the 'openclaw' CLI to be present, and calls localhost:18789. For a simple UI this access could be reasonable, but the lack of explicit declared requirements (binaries, config paths, or auth requirements) is disproportionate and hides the true privileges the skill needs.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. However, it opens a local web server exposing an unauthenticated chat API that can invoke the agent CLI (with a hardcoded main session id). That increases blast radius if the server is reachable — you should treat the service as potentially able to influence the agent at runtime and restrict network exposure and authentication accordingly.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install status-web
  3. After installation, invoke the skill by name or use /status-web
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of xiaoyu-bot-status: a comprehensive web status monitor for OpenClaw Agent. - Real-time monitoring of work tasks, scheduled jobs, and system health via web interface - Static cache ensures instant page load; background silent update for fresh data - Polished, responsive UI with visual status indicators and animation effects - Fully independent Node.js service—runs standalone, Cloudflare Tunnel supported - Easter egg: 7x title click reveals a secure chat window with the bot - Cron-based script for automated cache updates every 3 hours
Metadata
Slug status-web
Version 1.0.0
License
All-time Installs 18
Active Installs 16
Total Versions 1
Frequently Asked Questions

What is status-web?

小雨 bot 状态监测页面技能包。提供实时监控 OpenClaw Agent 工作状态、定时任务和系统健康状况的 Web 界面。包含静态缓存机制确保快速加载,美化 UI 界面,以及独立部署能力。使用场景:需要监控 AI Agent 运行状态、查看最近工作记录、管理定时任务、检查系统健康状况。 It is an AI Agent Skill for Claude Code / OpenClaw, with 1772 downloads so far.

How do I install status-web?

Run "/install status-web" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is status-web free?

Yes, status-web is completely free (open-source). You can download, install and use it at no cost.

Which platforms does status-web support?

status-web is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created status-web?

It is built and maintained by Yitao&Agents (@ra1nzzz); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments