Skill de création de dashboards live, sites web complets, et pages de preuve sociale pour Wesley-Agent. Déclencher dès que Georges mentionne : dashboard, sit...
Security Analysis
medium confidenceThe skill's declared needs (Telegram token + chat ID) match its described features, but the runtime instructions embed high-privilege operations (scp/ssh to a hard-coded VPS, docker exec, editing docker-compose, cloudflared tunnel setup) and hard-coded host/container paths that don't obviously belong inside a general-purpose 'dashboard builder' skill — review and verify ownership of the remote host and any commands before using.
Requesting TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID is coherent with the skill's photo-upload and Telegram integration. However, the documentation also repeatedly references a specific VPS IP, container name, and workspace paths (72.62.30.28, openclaw-yyvg-...), which is unexpected for a generic dashboard-builder skill and suggests either embedded vendor-specific deployment steps or possibly instructions targeted at a particular remote environment.
SKILL.md includes operational commands that modify remote infrastructure: scp/ssh to [email protected], docker cp/exec, editing docker-compose.yml, creating cloudflared tunnels and writing credentials under /root/.cloudflared, and adding systemd/autostart scripts. Those instructions go well beyond generating HTML/CSS/JS and require high privileges on a host; they could be dangerous if you do not control the referenced VPS. The skill also instructs enabling permissive CORS (CORS(app, origins=['*'])) and installing packages with --break-system-packages — both high-impact ops that should be reviewed.
No install spec and no code files are present — the skill is instruction-only, which minimizes direct supply-chain risk (nothing is auto-downloaded or written by an installer). The security surface is therefore the instructions themselves rather than any bundled executable code.
The only required environment variables are TELEGRAM_BOT_TOKEN (primary) and TELEGRAM_CHAT_ID, which are proportionate to the stated Telegram upload/display functionality. Reminder: Telegram bot tokens grant broad control over the bot and should be treated as sensitive secrets; the skill's docs also suggest using that token to upload/receive media and to share links, which is consistent but sensitive.
While the skill itself is not marked always:true, its instructions explicitly direct creation of persistent services (auto-start scripts, docker-compose changes, cloudflared tunnels, and permanent credentials files under /root). That operational guidance asks the user to create persistent privileges on the target host and expose local services to the public internet — actions that carry significant security and persistence implications if performed against a host you do not own or fully control.
Guidance
Do not blindly run the shell/ssh/docker/cloudflared commands in the docs. Before installing or following these steps: 1) Confirm you (or your organization) own and control the VPS IP, container name, and workspace paths referenced (72.62.30.28, openclaw-yyvg-...). 2) If you do not control that host, do not scp/ssh or apply the docker-compose/systemd changes — they would deploy code to a third-party machine. 3) Treat TELEGRAM_BOT_TOKEN as a secret: use a bot with minimal scope, rotate the token if it was exposed, and avoid sending tokens to remote machines whose ownership is unclear. 4) Review any suggested CORS and pip install commands (they can open services to the web or modify container internals); prefer limiting CORS origins and use vetted package installs. 5) If you want only local dashboard generation, ignore the hard-coded deployment steps and host the generated files on infrastructure you control (local machine, your VPS, or a trusted cloud bucket). If you need a final judgment about safety for your environment, provide whether you control the referenced VPS and whether you intend the agent to run commands on your host.
Latest Release
v1.0.0
wesley-dashboard-builder 1.0.0 – Initial release with full web dashboard generation and deployment workflow. - Creates live dashboards, full websites, and social proof pages for Wesley-Agent, with mobile-first, multi-screen HTML/CSS/JS output. - Integrates real-time API data and optional Telegram bot uploads for photo galleries. - Produces self-contained files (all inline, no local dependencies) ready for instant VPS deployment via Cloudflare tunnel. - Outlines standard project structure, screen types, and design/coding rules (dark theme, fallback data, navigation). - Step-by-step instructions provided for dashboard creation, API integration, media usage, and deployment. - Includes detailed checklists to ensure quality and functionality before delivery.
More by @georges91560
Published by @georges91560 on ClawHub
