Safety Report

Tinker Command Center

Name: Tinker Command Center
Author: globalcaos

@globalcaos

Stop guessing what your AI costs. Tinker shows every token, every dollar, every context byte — in real time.

14Downloads

0Installs

0Stars

2Versions

API Integration11,971

Security Analysis

medium confidence

Clean0.08 risk

The skill's claimed purpose (a local, read-only dashboard for an OpenClaw gateway) matches what it asks you to do (clone and build a UI that connects to your local gateway); nothing requested is disproportionate, but you should review the upstream repo before running builds because the skill relies on third‑party code run on your machine.

Mar 8, 20261 files2 concerns

Purpose & Capabilityok

Name, description, and runtime instructions all describe a local dashboard that connects to an OpenClaw gateway WebSocket. Required binaries (node, pnpm) are consistent with building a Vite/Lit UI. No unrelated credentials, config paths, or services are requested.

Instruction Scopenote

SKILL.md instructs you to git clone the GitHub fork and run pnpm install/build, and to connect to the local gateway WebSocket (port 18789). Those steps are within scope for a monitoring UI, but the WebSocket exposes full request/response payloads (conversation text, tool outputs) — the dashboard will see sensitive content if present. The doc does not instruct the agent to read unrelated system files or environment variables.

Install Mechanismnote

This is instruction-only (no packaged install spec). The recommended install is a git clone from GitHub (a well-known host) and pnpm build. That is reasonable, but building runs pnpm install which will fetch many third-party packages — review the repository and dependencies before running builds.

Credentialsok

No environment variables, credentials, or config paths are required. The lack of extraneous secrets is appropriate for a local monitoring UI. The only resource accessed is the local OpenClaw gateway WebSocket, which is consistent with the stated function.

Persistence & Privilegeok

The skill does not request persistent/always-on privileges in the metadata (always: false). It does not instruct modification of other skills or global agent settings. Autonomous invocation is allowed by platform default but does not raise concerns here by itself.

Guidance

This skill appears to do what it says: a local dashboard that inspects your OpenClaw gateway traffic. Before installing or building: (1) inspect the linked GitHub repo (globalcaos/tinkerclaw) and review package.json and plugin code for any unexpected network calls or telemetry, (2) run builds in an isolated environment if you are cautious, (3) be aware that the dashboard connects to your local gateway WebSocket and will see full conversation and tool-output content (treat it like sensitive data), and (4) verify the server only binds to localhost and that no external endpoints are contacted by the built UI. If you cannot review the repo, treat the install as higher risk.

Latest Release

v1.0.1

Rename fork refs → tinkerclaw

More by @globalcaos

YouTube Ultimate

7 stars

Shell Security Ultimate

4 stars

Jarvis Voice

2 stars

Whatsapp Ultimate

2 stars

Smart Model Router

0 stars

Agent Sensei Ultimate

0 stars

Published by @globalcaos on ClawHub