Mission control dashboard for OpenClaw - real-time session monitoring, LLM usage tracking, cost intelligence, and system vitals. View all your AI agents in o...
Security Analysis
high confidenceThis package is a self‑hosted Node.js dashboard that matches its description — it runs a local server and reads your OpenClaw workspace for monitoring; nothing in the manifest demands unrelated credentials or surprising install steps.
Name/description, files (lib/server.js, config example, public UI), and runtime instruction (node lib/server.js) all align: this is a local dashboard for OpenClaw workspaces. The repo contains UI, server, and docs supporting the claimed features (session monitoring, vitals, cost tracking). No required env vars or unrelated binaries are listed, so requested capabilities are proportional to the stated purpose.
SKILL.md instructs only to start the included server (node lib/server.js). The dashboard is explicitly designed to read OpenClaw workspace directories (memory/, state/) and expose them via UI/API — this is expected for a monitoring dashboard. Note: the server will access local workspace files (memories, state, logs); that's legitimate for the feature but is the primary privacy surface to review before running.
Install/runtime uses a simple shell command to run the included Node.js server; no remote downloads or URL-based extract steps are present in the manifest. The package includes source files and a package.json. This is a low-risk, typical install for a Node skill.
No required environment variables are declared. Optional env vars are referenced in docs (OPENCLAW_WORKSPACE, DASHBOARD_AUTH_MODE, DASHBOARD_TOKEN, PORT), which are reasonable for configuration and authentication. Integrations (Slack, Linear, Discord) are present in the example config but disabled by default — enabling them would require the corresponding API keys. Overall, requested environment access is proportional; users should be aware enabling integrations or remote auth modes will require secrets and network exposure.
always is false and the skill does not request permanent platform-wide privileges. It runs as a normal local web service and does not declare modifications to other skills or system‑wide settings. Autonomous invocation of skills (disable-model-invocation=false) is the platform default and not by itself a concern here.
Guidance
What this will do: it starts a local Node server (node lib/server.js) that reads your OpenClaw workspace (memory/, state/, logs) and serves a dashboard at http://localhost:3333. Things to check before installing/running: - Review lib/server.js (and any networking code) if you need assurance it doesn't phone home. The README claims "no external calls," but verify if you require absolute certainty. - Confirm the server binds to localhost and set DASHBOARD_AUTH_MODE and allowed IPs before exposing to a network. If you must expose publicly, enable an auth mode (token, Cloudflare Access, or Tailscale) and do not leave DASHBOARD_TOKEN in plaintext in shared configs. - Inspect workspace memory/state files (these can contain sensitive agent data) and consider running the dashboard in an environment with only the data you are comfortable exposing to a local web UI. - Integrations (Slack, Linear, Discord) are disabled by default; enable them only if you intend to provide their API keys and understand the implications. - Verify repository provenance if the registry "source" is unknown: the SKILL references a GitHub repo (github.com/jontsai/openclaw-command-center); confirm that is the intended upstream before trusting updates. If you review the server code and run it locally with default host=localhost and no external integrations, the skill appears coherent and appropriate for its stated purpose.
Latest Release
v1.4.1
Release v1.4.1 - fix: prevent iostat process leak on macOS, fix: SSE connection status stuck on Connecting
More by @jontsai
Published by @jontsai on ClawHub
