Anthony/openclaw-backups
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
openclaw-backups/skills/openclaw-dashboard/README.md

101 lines
3.4 KiB
Markdown
Raw Permalink Blame History

# OpenClaw Dashboard (Public)
Mobile-first operations dashboard for OpenClaw, focused on sessions, costs, cron, watchdog, and day-to-day operations.
This public repository is sanitized and simplified for sharing.
## Install via ClawHub
```bash
clawhub install openclaw-dashboard
cd ~/.openclaw/workspace/skills/openclaw-dashboard
cp env.example .env
node api-server.js
```
Then open http://localhost:18791
## Quick Start (from source)
```bash
git clone https://github.com/JonathanJing/openclaw-dashboard.git
cd openclaw-dashboard
cp env.example .env
# edit .env with your own values
node api-server.js
```
Then open:
- `http://localhost:18791/`
## Required Configuration
Default install has no hard key requirement.
- `OPENCLAW_AUTH_TOKEN` is **optional but recommended** for protected/local-auth usage.
- `gateway.authToken` is treated as optional capability context in skill metadata.
Use `env.example` (ClawHub package) or `.env.example` (source checkout) for optional overrides.
## Compliance Defaults (Important)
This public package now ships with restricted defaults:
- Dashboard binds to localhost by default (`DASHBOARD_HOST=127.0.0.1`)
- No automatic loading of `~/.openclaw/keys.env` unless `OPENCLAW_LOAD_KEYS_ENV=1`
- Provider org audit endpoint disabled unless `OPENCLAW_ENABLE_PROVIDER_AUDIT=1`
- Config file view endpoint (`/ops/config`) disabled unless `OPENCLAW_ENABLE_CONFIG_ENDPOINT=1`
- Absolute-path attachment copy mode disabled unless `OPENCLAW_ALLOW_ATTACHMENT_FILEPATH_COPY=1`
- Even when enabled, attachment copy only allows repo-local paths by default
- Extra source paths require explicit flags: `OPENCLAW_ALLOW_ATTACHMENT_COPY_FROM_TMP=1`, `OPENCLAW_ALLOW_ATTACHMENT_COPY_FROM_WORKSPACE=1`, and/or `OPENCLAW_ALLOW_ATTACHMENT_COPY_FROM_OPENCLAW_HOME=1`
- User-scoped systemctl restart disabled unless `OPENCLAW_ENABLE_SYSTEMCTL_RESTART=1`
- Frontend no longer sends auth token in query parameters for API calls
- Cron/task text sent to hooks is sanitized and treated as untrusted payload
- Mutating operations are disabled unless `OPENCLAW_ENABLE_MUTATING_OPS=1` and request is from localhost
- `server-monitor.html` now uses integrated authenticated `/metrics` endpoint
These defaults reduce accidental secret ingestion and over-broad local file access.
## Core Files
- `api-server.js`: backend API and operations logic
- `agent-dashboard.html`: single-file frontend UI
- `SKILL.md`: repository-level agent instructions
## Security Notes
- No real tokens should be committed.
- Keep secrets in local environment files only.
- Rotate tokens immediately if exposure is suspected.
## VirusTotal Compliance
Run a pre-release hash and upload workflow before publishing:
```bash
shasum -a 256 api-server.js agent-dashboard.html SKILL.md README.md env.example > vt-hashes.txt
```
Then submit these hashes/files to VirusTotal and attach the report IDs to your release notes.
If any file is flagged, block release and investigate before publishing.
## Publish to ClawHub
This repository is prepared as a ClawHub skill package with root-level `SKILL.md`.
```bash
clawhub publish . \
--slug openclaw-dashboard \
--name "OpenClaw Dashboard" \
--version 1.0.9 \
--changelog "Risk-surface reduction: localhost bind default, no token-in-query API usage, tighter attachment copy defaults, and integrated /metrics endpoint."
```
If your local version changes, update both:
- `SKILL.md` frontmatter `version`
- `clawhub publish --version`
## License
MIT
Reference in New Issue View Git Blame Copy Permalink