Openclaw Command Center
v1.4.1Mission control dashboard for OpenClaw - real-time session monitoring, LLM usage tracking, cost intelligence, and system vitals. View all your AI agents in o...
⭐ 63· 10.2k·72 current·78 all-time
byJonathan Tsai@jontsai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (monitoring, LLM usage, system vitals) match the repository contents: a Node.js server (lib/server.js), frontend assets, config examples and scripts. Declared requirements are minimal and align with a local dashboard. There are no unrelated credentials or binaries declared.
Instruction Scope
Runtime instructions tell the agent/user to run node lib/server.js and optionally set OPENCLAW_WORKSPACE or DASHBOARD_AUTH_MODE. This is appropriate, but the server is intended to read your OpenClaw workspace (memory/, state/, logs) and will expose aggregated data via endpoints like GET /api/state and SSE /api/events. Users should be aware those endpoints surface local agent data; privacy controls are documented but you should verify behavior in lib/server.js before exposing the service to untrusted networks.
Install Mechanism
The SKILL.md install step simply starts the included Node server (node lib/server.js) — no external downloads in the install spec. The repo contains helper scripts (install-system-deps.sh, setup.sh, etc.) that can install optional OS packages if run, but they are not invoked by the SKILL.md. Running the bundled Node code is a standard pattern for such dashboards but carries the usual risk of executing third-party JavaScript.
Credentials
No required env vars are declared in the registry metadata. SKILL.md documents optional variables (OPENCLAW_WORKSPACE, DASHBOARD_AUTH_MODE, DASHBOARD_TOKEN, PORT, etc.) that are appropriate for a dashboard. Integration keys (linear/slack/discord) exist in example config but are disabled by default; they are proportionate to advertised integration capabilities.
Persistence & Privilege
The skill does not request always: true and does not declare modifications to other skills or system-wide agent settings. It runs as a self-contained service and does not request elevated platform privileges in the metadata.
Assessment
This appears to be a legitimate self-hosted OpenClaw dashboard whose code and docs line up with the claimed functionality. Before installing or running:
- Inspect lib/server.js (and any modules it loads) to confirm it binds to localhost by default and to understand what filesystem paths it reads and what data it exposes via /api/state and /api/events.
- If you plan to expose the dashboard beyond localhost, enable and verify a secure auth mode (token, tailscale, or Cloudflare Access); do not run it publicly with DASHBOARD_AUTH_MODE=none.
- Check config/dashboard.example.json to confirm which workspace paths will be scanned (memory/, state/, logs) and consider running in a disposable container or VM if you are unsure.
- Review scripts/install-system-deps.sh and any setup scripts before running them; they may call package managers and require sudo.
- Verify the source and provenance (the SKILL.md links a GitHub repo but the registry metadata lists no homepage); prefer installing from a trusted upstream repo or after a manual code review.
If you want higher assurance, run the server in an isolated environment and audit network/listening behavior and filesystem access before giving it access to production agent data.Like a lobster shell, security has layers — review code before you run it.
latestvk97cp77dtr3e6e6a4gt6d0ghpx82hz98
License
MIT-0
Free to use, modify, and redistribute. No attribution required.