Openclaw Command Center

The name/description (Command Center, session/LLM/cost/vitals dashboard) aligns with the code and files provided: a Node.js server (lib/server.js), frontend assets, docs, and optional integration adapters. There are no unexpected cloud-provider credentials or unrelated binaries requested.

Runtime instructions simply run node lib/server.js and explain optional env vars (OPENCLAW_WORKSPACE, DASHBOARD_AUTH_MODE, DASHBOARD_TOKEN). The server auto-detects and reads workspace paths (memory/, state/, logs/) and exposes a memory/browser panel — this is expected for the dashboard but means it will read local files that may contain sensitive data (API keys, tokens, private conversation transcripts). The SKILL.md does not claim any external telemetry, but the repo contains optional integration adapters (linear, slack, discord) which, if enabled in config, will contact external services.

Install is low-risk: the skill is shipped as source code and the declared install action runs node lib/server.js. There are install/setup scripts present in the repo (setup.sh, install-system-deps.sh, pre-commit hooks) but none are forced by the SKILL.md install step; no arbitrary URL downloads or third-party package installation during skill install are declared.

The skill does not require any environment variables or credentials by default. It documents optional env vars for workspace override and auth modes (token/tailscale/cloudflare). Integration API keys (linear/slack/discord) appear in config as optional settings — these are proportionate to the stated features and are not required to run.

The skill does not request permanent registry-level privileges (always:false) and the provided install step does not modify system-wide settings. However the repo includes helper scripts and pre-commit hook instructions that, if executed by a user, will modify local git hooks or install system packages — these actions require explicit user invocation and should be reviewed before running.