← 返回 Skills 市场
jonathanjing

openclaw-dashboard

作者 Jonathan Jing · GitHub ↗ · v1.7.3
cross-platform ⚠ suspicious
4714
总下载
9
收藏
35
当前安装
19
版本数
在 OpenClaw 中安装
/install openclaw-dashboard
功能描述
Real-time operations dashboard for OpenClaw. Monitors sessions, costs, cron jobs, and gateway health. Use when installing the dashboard, starting the server,...
安全使用建议
Install only if you want a local OpenClaw administrative control plane, not a passive dashboard. Set a strong OPENCLAW_AUTH_TOKEN, keep it bound to localhost unless the tunnel/proxy is tightly controlled, avoid enabling mutating/config/provider-audit/key-loading flags casually, and treat task spawning as sensitive because dashboard credentials can enter agent context and logs.
功能分析
Type: OpenClaw Skill Name: openclaw-dashboard Version: 1.7.3 This OpenClaw skill bundle is classified as benign. The project demonstrates a strong focus on security, explicitly declaring all sensitive capabilities (e.g., file system access, process execution, API key loading) and implementing multiple layers of defense. Key indicators include: 1) All high-risk operations are opt-in via environment variables and restricted to localhost requests in `api-server.js`. 2) Process execution uses `child_process.execFileSync` with array arguments, preventing shell injection. 3) File path operations employ `fs.realpathSync` and strict directory whitelisting to prevent traversal attacks. 4) User-provided content is sanitized with `DOMPurify` and `sanitizeUntrustedText` to mitigate XSS and prompt injection risks, with explicit instructions to the AI agent to treat input as untrusted data. The `SECURITY.md` accurately reflects these robust controls.
能力评估
Purpose & Capability
The artifacts coherently describe an operations/admin dashboard and disclose many sensitive features, including backup/restore, update, restart, provider audit, config viewing, cron/model changes, file access, and task management. The concern is breadth: the SKILL description emphasizes monitoring while the implementation also exposes active task execution and system-changing controls.
Instruction Scope
Task creation/spawn sends a prompt to the OpenClaw agent to execute the task and includes curl commands containing the dashboard bearer token. The prompt marks task fields as untrusted, but still combines user task intent, execution instructions, and a reusable dashboard credential in the agent context.
Install Mechanism
Installation is standard ClawHub/manual CLI with no hidden installer or automatic persistence found. Documentation references env.example, but that file is absent from the supplied artifact, and _meta.json shows an older version than SKILL.md.
Credentials
The server binds to 127.0.0.1 by default, CORS defaults to loopback, and major mutating operations require explicit environment flags plus localhost requests. Risk rises materially if the operator exposes it through a tunnel/proxy, leaves the auth token unset, or enables provider/config/mutating flags.
Persistence & Privilege
With opt-in flags the dashboard can git add/commit/push, git reset --hard to an auto-backup, run npm install -g or brew upgrade, restart OpenClaw, change cron/session models, write selected workspace Markdown files, and persist task attachments. Most of this is disclosed and gated, but it is high-impact administrative authority.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install openclaw-dashboard
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /openclaw-dashboard 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.7.3
Added simplified installation instructions to SKILL.md and README.md.
v1.7.1
v1.7.1: Expanded SECURITY.md with Threat Model, Capability Escalation Matrix, and defense-in-depth documentation to clarify that admin capabilities are opt-in, localhost-only, and input-sanitized by design
v1.7.0
v1.7.0: Fix all 4 VirusTotal findings — remove hardcoded restart token, switch API auth to Bearer header, remove localStorage token storage, add DOMPurify for markdown XSS prevention
v1.6.0
Security hardening: removed localStorage token storage (XSS mitigation), auth now HttpOnly cookie only; added SECURITY.md documenting auth model, prompt injection mitigations, and mutating ops controls
v1.5.2
Trigger VirusTotal security re-scan; no functional changes
v1.5.1
Fix SKILL.md: bump version to 1.5.1, updated description to reflect current features (watchdog, lang toggle, cost analysis)
v1.5.0
Watchdog redesign (24h uptime bar + incident log), language toggle (EN/中文), confirmDialog replacing native popups, thinkingLevel badge in sessions, fresh README with screenshots
v1.0.9
Risk-surface reduction: localhost bind default, no token-in-query API usage, tighter attachment copy defaults, and integrated /metrics endpoint.
v1.0.8
Add non-dot env.example for ClawHub package visibility.
v1.0.7
Republish to retrigger VirusTotal scan.
v1.0.6
Improve install experience: configurable title, .env.example updates, restructured SKILL.md with user guide
v1.4.0
SECURITY: Restrict CORS to loopback origins (no more wildcard *). New DASHBOARD_CORS_ORIGINS env for explicit allowlist. Document credential exposure risks and network security policy in SKILL.md + SECURITY.md.
v1.3.0
SECURITY: Eliminate all execSync shell injection surface. All child_process calls now use execFileSync with args arrays (no shell). Add symlink escape protection for FILEPATH_COPY. Zero execSync remaining.
v1.0.5
Risk-surface reduction: localhost bind default, no token-in-query API usage, tighter attachment copy defaults, and integrated authenticated metrics endpoint.
v1.0.4
Least-privilege hardening: mutating ops disabled by default, localhost-only enforcement, and stricter attachment copy source controls.
v1.0.3
Security hardening: sanitized untrusted prompts, safer update command execution, optional user-scoped restart, and VirusTotal compliance documentation.
v1.0.2
Metadata refinement: key/config requirements are optional by default.
v1.0.1
Compliance hardening: explicit env declarations and opt-in sensitive behaviors.
v1.0.0
Initial public sanitized dashboard skill release.
元数据
Slug openclaw-dashboard
版本 1.7.3
许可证
累计安装 35
当前安装数 35
历史版本数 19
常见问题

openclaw-dashboard 是什么?

Real-time operations dashboard for OpenClaw. Monitors sessions, costs, cron jobs, and gateway health. Use when installing the dashboard, starting the server,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 4714 次。

如何安装 openclaw-dashboard?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-dashboard」即可一键安装,无需额外配置。

openclaw-dashboard 是免费的吗?

是的,openclaw-dashboard 完全免费(开源免费),可自由下载、安装和使用。

openclaw-dashboard 支持哪些平台?

openclaw-dashboard 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 openclaw-dashboard?

由 Jonathan Jing(@jonathanjing)开发并维护,当前版本 v1.7.3。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论